Skip to content

Latest commit

 

History

History
358 lines (278 loc) · 26.2 KB

CHANGELOG-v0.15.md

File metadata and controls

358 lines (278 loc) · 26.2 KB
Raw

CHANGELOG v0.15 branch

Major improvements

Highlights of this version:

  • Embedded HAProxy upgrade from 2.4 to 2.6.
  • Change from a legacy controller engine component to controller-runtime.
  • Improvements on Gateway API: v1 API and TCPRoute support
  • Integration tests
  • Dark theme in the documentation

Upgrade notes

Breaking backward compatibility from v0.14:

  • HAProxy Ingress used to start as root by default up to v0.14. Starting on v0.15 the controller container starts as the non root user haproxy, UID 99. This change should impact deployments that need to start as root, e.g. chroot enabled, binding on privileged TCP ports (1024 or below) on old container runtimes, etc. Workloads that need to run as root can, despite the security risk, configure the security context in the deployment resource or Helm chart to enforce starting user as root. See the security doc for configuration examples.
  • Besides starting as non root, the haproxy user ID changed from 1001 to 99. The former 1001 UID was chosen and created in a day docker.io/haproxy container image started as root (2.3 and older). Starting from 2.4 the haproxy user was added as UID 99. In v0.15 we started to use the same UID, so file systems shared between controller and haproxy doesn't have permission issues.
  • Election ID was changed, see the documentation for customization options. Election ID is used by embedded Acme signer and status updater to, respectively, request certificates and update ingress status. A cluster of HAProxy Ingress controllers will elect two controllers at the same time during the rolling update from any other version to v0.15. Ingress status does not have an impact. See Upgrading with embedded Acme below for details about upgrading with embedded Acme signer enabled.
  • Master worker mode is now enabled by default, see the documentation. This mode starts a master HAProxy process in foreground, which controls the worker processes.
  • Helm chart has now a distinct field for the registry of an image, which should impact charts that configure custom repositories. See Upgrading with custom repositories below for the details.
  • Log debug level is enabled by default. HAProxy Ingress has a good balance between low verbosity and useful information on its debug level.
  • Default image for the log sidecar changed from whereisaaron/kube-syslog-sidecar to ghcr.io/crisu1710/kube-syslog-sidecar:0.2.0. It is the same codebase, just adding support for multiple architectures.

Deprecated command-line options

The following command-line options were deprecated on v0.15 and should be removed on a future version:

  • --acme-election-id
  • --disable-pod-list
  • --force-namespace-isolation
  • --healthz-port

See their documentation at the command-line options documentation page.

Upgrading with embedded Acme

Embedded Acme signer uses leader election to request certificates just once, despite the size of the HAProxy Ingress cluster. When rolling update to v0.15, one controller from the older version and another controller from the new version will understand themselves as the leader at the same time, due to the change in the election ID.

The only drawback is that, if the expiring certificate check runs during the rolling update, the embedded Acme signer will call the Acme backend twice per certificate that needs to be issued. This behavior can be avoided by changing the global acme-terms-agreed configuration key as false during the rolling update, updating to true as soon as the rolling update has finished.

Upgrading with custom repositories

HAProxy Ingress Helm chart now uses distinct fields for the registry and the repository of a container image. If a Helm chart customizes image.repository of any container image, now it should consider the image.registry field as well.

v0.14 example:

controller:
  haproxy:
    enabled: true
    image:
      repository: myhub.local/haproxy

Starting on v0.15, registry and repository should be placed on distinct attributes:

controller:
  haproxy:
    enabled: true
    image:
      registry: myhub.local
      repository: haproxy

See the full syntax and default values in the README.md and in the values.yaml files of the HAProxy Ingress Helm chart.

Contributors

v0.15.0-alpha.3

Reference (a3)

  • Release date: 2024-06-16
  • Helm chart: --version 0.15.0-alpha.3 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.15.0-alpha.3
  • Image (Docker Hub): docker.io/jcmoraisjr/haproxy-ingress:v0.15.0-alpha.3
  • Embedded HAProxy version: 2.6.17
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.15.0-alpha.3

Release notes (a3)

This is the third and last alpha version of the v0.15 branch. We'll start beta versions soon, when v0.15 will be forked to its own branch, so v0.16 improvements can start shortly in parallel. Regarding v0.16, we are planning to make a really short release, mostly dropping old code base, updating core dependencies, and adding some nice to have features we are still missing. From v0.17 and beyond the plan is to continue with 2 or 3 minor releases per year we used to have.

Find below a list of improvements made since alpha.2.

Exclusive v0.15 changes include:

  • Master worker mode is true by default, even if external haproxy is not configured. In this mode HAProxy Ingress has a few more configuration options, and it also watches the embedded haproxy process, restarting it in the case it crashes.
  • Integration tests
  • Gateway API v1 support
  • TCPRoute support, from Gateway API
  • New leader election implementation, since leader election provided by controller-runtime causes outages when controller looses an election
  • New documentation theme version: integration without the need of git submodules, dark theme support, improvements in the design

Other changes already merged to the stable branches:

  • Added the steps to configure the embedded HAProxy process to log to stdout, along with controller, useful on dev or small test environments. See doc
  • Added two distinct helm configurations on the getting started guide: one that uses a service load balancer, another one that uses http/s ports assigned to the cluster nodes. See doc

Fixes merged to stable branches:

  • Julien fixed the Vary response header, from Cors, when the backend server returns two or more headers
  • tomklapka and Jan implemented a more fine grained response from Coraza WAF
  • HAProxy process, when embedded and in master-worker mode, was being prematurelly stopped on rolling updates because it was configured in the same pid group of the controller
  • Fix backend selection, when a more generic wildcard hostname was being incorrectly chosen, and it colides with a more specific one which uses mTLS
  • Secure backend configuration, like backend protocol and client side mTLS, can now be configured globally for all ingress resources
  • Auth external configuration can now be configured globally
  • Make sure https redirect happens before path redirect when app-root is configured

Dependencies:

  • embedded haproxy from 2.6.14 to 2.6.17
  • client-go from v0.26.6 to v0.30.2
  • controller-runtime from v0.14.6 to v0.18.4
  • go from 1.19.11 to 1.22.4

Improvements (a3)

New features and improvements since v0.15.0-alpha.2:

  • Add gateway version v1beta1 #994 (jcmoraisjr)
  • Add a framework for integration tests #1081 (jcmoraisjr)
  • Move leader election to a self managed service #1087 (jcmoraisjr)
  • Status update via merge-patch strategy #1091 (jcmoraisjr)
  • Add Gateway API v1 support #1102 (jcmoraisjr)
  • Update linter #1104 (jcmoraisjr)
  • Add TCPRoute support from Gateway API #1103 (jcmoraisjr)
  • Add net bind capability to haproxy bin #1096 (jcmoraisjr)
  • Add tests for http header generation #1115 (jcmoraisjr)
  • Update RBAC configuration and docs to include leases resource for leader election #1127 (jzinkweg)
  • Add ssl-always-follow-redirect option #1118 (jcmoraisjr) - doc
    • Configuration keys:
      • ssl-always-follow-redirect
  • Add TLS related integration tests #1132 (jcmoraisjr)
  • Cleanup outdated properties of golangci-lint gh actions plugin #1140 (Spikhalskiy)
  • Upgrade golang from 1.22.2 to 1.22.4 #1137 (guoard)
  • Upgrade embedded haproxy from 2.6.16 to 2.6.17 #1139 (guoard)
  • Change default master-worker config to true #1134 (jcmoraisjr)
  • doc: update docsy from v0.6.0 to v0.10.0 #1143 (jcmoraisjr)
  • Local building improvements #1135 (jcmoraisjr)
  • doc: add haproxy logging to stdout #1138 (jcmoraisjr)
  • update client-go from v0.30.1 to v0.30.2 0cb2584 (Joao Morais)
  • doc: add a light weight version of haproxy ingress logo #1144 (jcmoraisjr)
  • doc: reorg items and improve helm values in getting started #1145 (jcmoraisjr)
  • update dependencies 914b581 (Joao Morais)

Chart improvements since v0.15.0-alpha.2:

  • Add support to disable automountServiceAccountToken #74 (jr01)
  • Use of automount service account on v1.22 and newer #75 (jcmoraisjr)
  • Allow setting the spec.loadBalancerClass of created Services #77 (mlow)
  • Allow controller to patch ingress status #80 (jcmoraisjr)
  • Fix install output message #81 (jcmoraisjr)

Fixes (a3)

  • Keep all vary header values when adding Origin #1083 (Jul13nT)
  • Fix coraza configuration to use the action variable #1094 (tomklapka,JanHolger)
  • Fix label generation for node discovery #1116 (jcmoraisjr)
  • Ensure https redirect happens before root redirect #1117 (jcmoraisjr)
  • Allows secure backend configuration from global #1119 (jcmoraisjr)
  • Allows to configure auth-url globally #1120 (jcmoraisjr)
  • Move embedded haproxy process to a distinct pid group #1136 (jcmoraisjr)

v0.15.0-alpha.2

Reference (a2)

  • Release date: 2023-07-13
  • Helm chart: --version 0.15.0-alpha.2 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.15.0-alpha.2
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.15.0-alpha.2
  • Embedded HAProxy version: 2.6.14
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.15.0-alpha.2

Release notes (a2)

This is the second tag of the v0.15 branch. Most of the changes are fixes or improvements merged to stable branches. We still have some refactors under development which are prerequisites for a better Gateway API support. Such refactors will also be applied as new configuration keys, benefiting also Ingress workloads.

Exclusive v0.15 changes include:

  • Robin Schneider added a new default image for the log sidecar with multi architecture support
  • Fix the notification of endpoint changes

Other changes already merged to the stable branches:

  • Karan Chaudhary added EndpointSlices support. This option is disabled by default, enable it by adding --enable-endpointslices-api command-line option.
  • HTTP redirect now has an option to skip some paths, the default configuration adds an exception to /.well-known/acme-challenge.
  • External HAProxy was failing with the message "cannot open the file '/var/lib/haproxy/crt/default-fake-certificate.pem'.". This happened due to missing permission to read certificate and private key files when HAProxy container starts as non root, which is the default since HAProxy 2.4.
  • An update to the External HAProxy example page adds options to fix permission failures to bind ports :80 and :443, see the example page.

Fixes merged to stable branches:

  • ConfigMap based TCP services was randomly missing when the controller started, being reincluded only after the first reconciliation.
  • An endless redirect might happen when configuring redirects on domains whose TLS secret declares two or more domains
  • Configuration snippet was missing on backends in TCP mode
  • ConfigMap based TCP services were making HAProxy to reload without need, depending on the order that service endpoints were being listed
  • Unused HAProxy backends might leak in the configuration, depending on how the configuration is changed, when backend sharding is enabled
  • A wildcard was not being accepted by the CORS Allowed Header configuration

Dependencies:

  • embedded haproxy from 2.6.9 to 2.6.14
  • client-go from v0.26.5 to v0.26.6
  • controller-runtime from v0.14.4 to v0.14.6
  • golang from 1.19.10 to 1.19.11

Improvements (a2)

New features and improvements since v0.15.0-alpha.1:

  • Adds support for EndpointSlices API in master #959 (lafolle) - doc
    • Command-line options:
      • --enable-endpointslices-api
  • Skip acme-challenge path on to/from redirects #995 (jcmoraisjr) - doc
    • Configuration keys:
      • no-redirect-locations
  • Ensure predictable tcp by sorting endpoints #1003 (jcmoraisjr)
  • Change owner of crt/key files to haproxy pid #1004 (jcmoraisjr)
  • Update dependencies #1006 (mrueg)
  • Prefer ingressClassName over annotations in docs #986 (mac-chaffee)
  • Add endpointslice api on v0.15 handler #1013 (jcmoraisjr)
  • update golang from 1.19.10 to 1.19.11 cec71c2 (Joao Morais)
  • update client-go from v0.26.5 to v0.26.6 ce93e8a (Joao Morais)
  • update dependencies 925e6b1 (Joao Morais)

Chart improvements since v0.15.0-alpha.1:

  • improve log sidecar for multiple architectures #62 (Crisu1710)
  • Enables endpointslicesapi #66 (lafolle)
  • ignore PodSecurityPolicy on cluster v1.25 or newer 53c8373 (Joao Morais)
  • Defaults securityContext to allow privileged ports #68 (jcmoraisjr)
  • Revert default securityContext config #70 (jcmoraisjr)
  • Add lifecycle hooks to external HAProxy container #72 (bootc)
  • chore: update HorizontalPodAutoscaler apiVersion #71 (quarckster)
  • add conditional PodDisruptionBudget #73 (jcmoraisjr)

Fixes (a2)

  • Fixes configmap based tcp sync #1001 (jcmoraisjr)
  • Redirect hosts only to domains with associated backends #1010 (jcmoraisjr)
  • fix: config-backend annotation also for TCP-Backends #1009 (genofire)
  • Create endpoints on a predictable order #1011 (jcmoraisjr)
  • Remove generation predicate on endpoints #1012 (jcmoraisjr)
  • Fix shard render when the last backend is removed #1015 (jcmoraisjr)
  • Add wildcard as a valid cors allowed header #1016 (jcmoraisjr)

v0.15.0-alpha.1

Reference (a1)

  • Release date: 2023-02-20
  • Helm chart: --version 0.15.0-alpha.1 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.15.0-alpha.1
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.15.0-alpha.1
  • Embedded HAProxy version: 2.6.9

Release notes (a1)

This is the first tag of the v0.15 branch, which brings most, if not all the breaking changes expected to the v0.15 release:

  • Controller now starts as the non root haproxy user.
  • haproxy user ID was changed from 1001 to 99.
  • ElectionID changed for leader election.
  • Helm chart has now two separated fields for registry and repository of a container image.
  • Log now uses level 2 by default, a low verbosity level with useful debugging info.

See upgrade notes for detailed info and before update your environment.

Besides that, the following areas had some improvement since v0.14:

  • Embedded and default external HAProxy version was updated to 2.6 instead of the expected 2.5. Non-LTS HAProxy, just like 2.3 and 2.5, have a short lifecycle and we're a few cycles behind their releases. Our plan is to start to release about 2 minor versions per year again, following HAProxy Community Edition releases, so we should expect our v0.16 using HAProxy 2.6 as well. Future controller versions might start to use non LTS again in the future, provided that we're close enough to their release cycle and we don't have a newer LTS version to use instead.
  • HTTP header match is a long awaited feature that needed a few internal refactors to work properly. This is one of the challenging implementations for the Gateway API, which's available for Ingress resources as well. See the HTTP header match documentation for usage examples.
  • HAProxy Ingress now uses controller-runtime as the engine that watches and notifies resource changes. This is a huge internal change that improves code quality and organization, but with almost no externally visible change. The most impacted feature is the Ingress Status Update, which should be rewritten from scratch in order to fit the new controller engine. Give this a few more attention and let us know if you found any problem via our Slack channel, mailing list, or opening a new GitHub issue.

Improvements (a1)

New features and improvements since v0.14.2:

  • update embedded haproxy from 2.4.18 to 2.5.8 6b0a10a (Joao Morais)
  • update golang from 1.17.13 to 1.19.1 781dd7e (Joao Morais)
  • update client-go from v0.23.10 to v0.25.0 c7d8ae3 (Joao Morais)
  • update go mod from 1.17 to 1.19 2d2cb4e (Joao Morais)
  • Add http-header-match annotation #944 (jcmoraisjr) - doc
    • Configuration keys:
      • http-header-match
      • http-header-match-regex
  • Update gateway-api from v0.4.1 v0.5.0 #947 (jcmoraisjr)
  • Update to hugo v0.110.0 and update node deps #968 (mac-chaffee)
  • Add controller-runtime support #933 (jcmoraisjr)
  • Add source IP related config keys #987 (jcmoraisjr) - doc
    • Configuration keys:
      • original-forwarded-for-hdr
      • real-ip-hdr
  • update client-go from v0.25.0 to v0.26.1 1e2fc75 (Joao Morais)
  • update embedded haproxy from 2.5.8 to 2.6.9 2842a74 (Joao Morais)
  • Add optional frontend based external authentication call #988 (jcmoraisjr) - doc
    • Configuration keys:
      • auth-external-placement
  • update go from 1.19.1 to 1.19.6 3a8edee (Joao Morais)
  • Change controller container to non root user #992 (jcmoraisjr)

Chart improvements since v0.14.2:

  • Allow customFiles to be used without custom template #57 (ironashram)
  • Add permissions for leases, needed by leaderelection #58 (mac-chaffee)
  • Fix securityContext conditional in default backend #60 (doriath)
  • Parameterize container port and add missing configs on default backend and prometheus #59 (blafry)
  • Extracted registry value to a separate variable #61 (blafry)

Fixes (a1)

  • Skip status update when update-status is false #991 (jcmoraisjr)