Community

Release notes

The release notes give you an overview of the what’s new, updated, and removed in this version of HAProxy Kubernetes Ingress Controller.

Version 3.0 Jump to heading

Key changes in the HAProxy Kubernetes Ingress Controller 3.0 release include:

Upgraded HAProxy

  • This version upgrades to HAProxy 3.0 as the underlying load balancer engine. From this time onward, the version of the ingress controller will match the HAProxy version.

TCP Custom Resource

  • A new TCP custom resource allows you to set new listening ports for TCP services and map them to backend services. This simplifies TCP load balancing, which had before required you to create a ConfigMap to define the mapping. You can customize the generated frontend with this custom resource. And by using a Backend custom resource, you can customize the generated backend too.

TCP ConfigMap default backend

  • Now, configuration options you set in the ingress controller’s ConfigMap will also apply to backends generated for TCP services added through --configmap-tcp-services. This could be considered a breaking change.

Custom Resource Definitions v1alpha1 removed

  • Support for apiVersion: "core.haproxy.org/v1alpha1" has been removed in this version. This could be considered a breaking change.

Version 1.11 Jump to heading

Key changes in the HAProxy Kubernetes Ingress Controller 1.11 release include:

Upgraded HAProxy

  • This version upgrades to HAProxy 2.8 as the underlying load balancer engine.

Custom Resource Definitions graduated to v1

  • The backend, defaults, and global custom resource definitions that were introduced in version 1.7 provide a number of benefits compared to using annotations in an Ingress resource. These CRDs allow you to customize the ingress controller in a more expressive way, since CRDs support booleans, strings, integers, enums, arrays, and objects. They also ensure better validation, readability, and versioning of your configuration settings. In version 1.11, the CRDs leave the alpha designation and graduate to v1. They now support all HAProxy configuration options.
  • In this version, the API group also changed. Instead of using apiVersion: "core.haproxy.org/v1alpha2" in your custom resources you will use apiVersion: "ingress.v1.haproxy.org/v1", although the old group will still be supported. When migrating to v1, be sure to update your RBAC rules to accomodate this new group.
  • An invalid CRD resource will now display an error message when you try to apply it with kubectl, helping you to catch errors earlier before they can go to production.
  • Version 1.11 deprecates the alpha1 and alpha2 CRD versions. Support for them may be removed in a future version of the ingress controller.
  • A new startup argument --job-check-crd runs a one-time job that updates your CRDs. When you run Helm to install the ingress controller, this argument is automatic so that the job runs once during installation.

QUIC support

  • Version 1.11 adds limited support for the QUIC protocol. It will be enabled automatically if you use TLS via the --default-ssl-certificate argument. To disable it, set --disable-quic. You can also change the ports QUIC uses by setting --quic-bind-port and --quic-announce-port. Also, the --quic-alt-svc-max-age lets you change the Alt-Svc HTTP header.

Upgraded s6-overlay

  • This version upgrades s6-overlay, which is the init system we use in the container, to version v3.

Port changes

  • The HTTP and HTTPS ports on which the ingress controller listens have changed from 80 and 443 to 8080 and 8443, respectively. Mostly, this will affect those who run the ingress controller in external mode. You can change the ports with the --http-bind-port and --https-bind-port startup arguments.

Logging

  • All log messages now contain a unique transaction ID to make it easier to trace back and troubleshoot errors.
  • A new ConfigMap option named log-format-tcp lets you set the format for TCP traffic logs. This applies to the TCP ConfigMap defined by the --configmap-tcp-services startup argument.

Config snippets

  • You can now disable config snippets with the --disable-config-snippets startup argument. It accepts a comma-separated list of any of the following values: backend, frontend, global, and all. For example, a value of --disable-config-snippets=all would disable the following annotations:

    • backend-config-snippet
    • frontend-config-snippet
    • global-config-snippet

Standalone backends

  • You can now instruct the ingress controller to create a separate backend for an Ingress resource by setting the standalone-backend annotation. Although this will likely be uncommon, you could use this to allow more customization per ingress.

Security context

  • The securityContext section of the ingress controller’s Deployment resource has changed. It now sets runAsNonRoot, allowPrivilegeEscalation, and seccompProfile as follows:

    yaml
    securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    runAsUser: 1000
    runAsGroup: 1000
    capabilities:
    drop:
    - ALL
    add:
    - NET_BIND_SERVICE
    seccompProfile:
    type: RuntimeDefault
    yaml
    securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    runAsUser: 1000
    runAsGroup: 1000
    capabilities:
    drop:
    - ALL
    add:
    - NET_BIND_SERVICE
    seccompProfile:
    type: RuntimeDefault

Container images on GitHub

  • We’re hosting the container images on the GitHub Container registry. There you will find nightly builds, which you can deploy to preview features undergoing development. To pull the 1.11 image, use:

    nix
    docker pull ghcr.io/haproxytech/kubernetes-ingress:1.11.0
    nix
    docker pull ghcr.io/haproxytech/kubernetes-ingress:1.11.0

Deprecated features

  • In this version, the whitelist and blacklist annotations have been deprecated and may be removed in a future version. Please migrate to the allow-list and deny-list annotations.

Version 1.10 Jump to heading

Key changes in the HAProxy Kubernetes Ingress Controller 1.10 release include:

Upgraded HAProxy

  • This version upgrades to HAProxy 2.7 as the underlying load balancer engine.

Docker image tags

  • The haproxytech/kubernetes-ingress Docker image now has major.minor version tags, such as 1.8, 1.9, and 1.10 so that users can more easily pin their deployment to a specific version.

Dropped support for Beta versions of Ingress

  • We no longer support the deprecated Kubernetes APIs extensions/v1beta1 and networking.k8s.io/v1beta1 on Ingress resources. Instead, use networking.k8s.io/v1.

Matching of CPU quotas

  • The ingress controller now sets its GOMAXPROCS variable to match the match the Linux container’s CPU quota, providing better performance.

Gateway API (TCPRoute)

  • Added support for the TCPRoute resource in Gateway API. This provides a new way of routing TCP traffic, as an alternative to the --configmap-tcp-services startup argument.

Version 1.9 Jump to heading

Key changes in the HAProxy Kubernetes Ingress Controller 1.9 release include:

Upgraded HAProxy

  • This version upgrades to HAProxy 2.6 as the underlying load balancer engine.

Version 1.8 Jump to heading

Key changes in the HAProxy Kubernetes Ingress Controller 1.8 release include:

Default backend

  • When no ingress rules match, the ingress controller displays a default Not Found web page. To enable this in prior versions, you had to set the startup argument --default-backend-service. This is no longer necessary. The ingress controller will self host a web page for this purpose, reducing the number of services deployed to your Kubernetes cluster.

Upgraded HAProxy

  • This version upgrades to HAProxy 2.5 as the underlying load balancer engine.

Security enhancements

  • The ingress controller process now runs as a non-root user inside its Docker container while keeping the ability to bind to privileged ports 80 and 443.
  • The annotations blacklist and whitelist, which you can use to allow or deny ranges of IP addresses, now accept a file that stores the IP addresses.
  • The new annotation client-strict-sni returns an error if no certificate is found for a client SNI.

Debugging

  • Since version 1.7, if you include the --pprof startup argument the ingress controller exposes pprof debug data at port 6060 at the URL path /debug/pprof. Now you can change the port by specifying the --controller-port argument.
  • If you set the startup argument --prometheus, new Prometheus metrics are exposed at port 6060 at the URL path /metrics. They include diagnostic information such as the amount of memory allocated to the process and CPU time spent.

Do you have any suggestions on how we can improve the content of this page?