Community
Release notes
The release notes give you an overview of the what’s new, updated, and removed in this version of HAProxy Kubernetes Ingress Controller.
Version 3.0 Jump to heading
Key changes in the HAProxy Kubernetes Ingress Controller 3.0 release include:
Upgraded HAProxy
- This version upgrades to HAProxy 3.0 as the underlying load balancer engine. From this time onward, the version of the ingress controller will match the HAProxy version.
TCP Custom Resource
- A new
TCP
custom resource allows you to set new listening ports for TCP services and map them to backend services. This simplifies TCP load balancing, which had before required you to create a ConfigMap to define the mapping. You can customize the generated frontend with this custom resource. And by using aBackend
custom resource, you can customize the generated backend too.
TCP ConfigMap default backend
- Now, configuration options you set in the ingress controller’s ConfigMap will also apply to backends generated for TCP services added through
--configmap-tcp-services
. This could be considered a breaking change.
Custom Resource Definitions v1alpha1 removed
- Support for
apiVersion: "core.haproxy.org/v1alpha1"
has been removed in this version. This could be considered a breaking change.
Version 1.11 Jump to heading
Key changes in the HAProxy Kubernetes Ingress Controller 1.11 release include:
Upgraded HAProxy
- This version upgrades to HAProxy 2.8 as the underlying load balancer engine.
Custom Resource Definitions graduated to v1
- The
backend
,defaults
, andglobal
custom resource definitions that were introduced in version 1.7 provide a number of benefits compared to using annotations in anIngress
resource. These CRDs allow you to customize the ingress controller in a more expressive way, since CRDs support booleans, strings, integers, enums, arrays, and objects. They also ensure better validation, readability, and versioning of your configuration settings. In version 1.11, the CRDs leave thealpha
designation and graduate tov1
. They now support all HAProxy configuration options. - In this version, the API group also changed. Instead of using
apiVersion: "core.haproxy.org/v1alpha2"
in your custom resources you will useapiVersion: "ingress.v1.haproxy.org/v1"
, although the old group will still be supported. When migrating tov1
, be sure to update your RBAC rules to accommodate this new group. - An invalid CRD resource will now display an error message when you try to apply it with
kubectl
, helping you to catch errors earlier before they can go to production. - Version 1.11 deprecates the
alpha1
andalpha2
CRD versions. Support for them may be removed in a future version of the ingress controller. - A new startup argument
--job-check-crd
runs a one-time job that updates your CRDs. When you run Helm to install the ingress controller, this argument is automatic so that the job runs once during installation.
QUIC support
- Version 1.11 adds limited support for the QUIC protocol. It will be enabled automatically if you use TLS via the
--default-ssl-certificate
argument. To disable it, set--disable-quic
. You can also change the ports QUIC uses by setting--quic-bind-port
and--quic-announce-port
. Also, the--quic-alt-svc-max-age
lets you change theAlt-Svc
HTTP header.
Upgraded s6-overlay
- This version upgrades s6-overlay, which is the init system we use in the container, to version v3.
Port changes
- The HTTP and HTTPS ports on which the ingress controller listens have changed from 80 and 443 to 8080 and 8443, respectively. Mostly, this will affect those who run the ingress controller in external mode. You can change the ports with the
--http-bind-port
and--https-bind-port
startup arguments.
Logging
- All log messages now contain a unique transaction ID to make it easier to trace back and troubleshoot errors.
- A new ConfigMap option named
log-format-tcp
lets you set the format for TCP traffic logs. This applies to the TCP ConfigMap defined by the--configmap-tcp-services
startup argument.
Config snippets
-
You can now disable config snippets with the
--disable-config-snippets
startup argument. It accepts a comma-separated list of any of the following values:backend
,frontend
,global
, andall
. For example, a value of--disable-config-snippets=all
would disable the following annotations:backend-config-snippet
frontend-config-snippet
global-config-snippet
Standalone backends
- You can now instruct the ingress controller to create a separate
backend
for anIngress
resource by setting thestandalone-backend
annotation. Although this will likely be uncommon, you could use this to allow more customization per ingress.
Security context
-
The
securityContext
section of the ingress controller’sDeployment
resource has changed. It now setsrunAsNonRoot
,allowPrivilegeEscalation
, andseccompProfile
as follows:yamlsecurityContext:runAsNonRoot: trueallowPrivilegeEscalation: falserunAsUser: 1000runAsGroup: 1000capabilities:drop:- ALLadd:- NET_BIND_SERVICEseccompProfile:type: RuntimeDefaultyamlsecurityContext:runAsNonRoot: trueallowPrivilegeEscalation: falserunAsUser: 1000runAsGroup: 1000capabilities:drop:- ALLadd:- NET_BIND_SERVICEseccompProfile:type: RuntimeDefault
Container images on GitHub
-
We’re hosting the container images on the GitHub Container registry. There you will find nightly builds, which you can deploy to preview features undergoing development. To pull the 1.11 image, use:
nixdocker pull ghcr.io/haproxytech/kubernetes-ingress:1.11.0nixdocker pull ghcr.io/haproxytech/kubernetes-ingress:1.11.0
Deprecated features
- In this version, the
whitelist
andblacklist
annotations have been deprecated and may be removed in a future version. Please migrate to theallow-list
anddeny-list
annotations.
Version 1.10 Jump to heading
Key changes in the HAProxy Kubernetes Ingress Controller 1.10 release include:
Upgraded HAProxy
- This version upgrades to HAProxy 2.7 as the underlying load balancer engine.
Docker image tags
- The haproxytech/kubernetes-ingress Docker image now has major.minor version tags, such as 1.8, 1.9, and 1.10 so that users can more easily pin their deployment to a specific version.
Dropped support for Beta versions of Ingress
- We no longer support the deprecated Kubernetes APIs
extensions/v1beta1
andnetworking.k8s.io/v1beta1
on Ingress resources. Instead, usenetworking.k8s.io/v1
.
Matching of CPU quotas
- The ingress controller now sets its GOMAXPROCS variable to match the match the Linux container’s CPU quota, providing better performance.
Gateway API (TCPRoute)
- Added support for the TCPRoute resource in Gateway API. This provides a new way of routing TCP traffic, as an alternative to the
--configmap-tcp-services
startup argument.
Version 1.9 Jump to heading
Key changes in the HAProxy Kubernetes Ingress Controller 1.9 release include:
Upgraded HAProxy
- This version upgrades to HAProxy 2.6 as the underlying load balancer engine.
Version 1.8 Jump to heading
Key changes in the HAProxy Kubernetes Ingress Controller 1.8 release include:
Default backend
- When no ingress rules match, the ingress controller displays a default Not Found web page. To enable this in prior versions, you had to set the startup argument
--default-backend-service
. This is no longer necessary. The ingress controller will self host a web page for this purpose, reducing the number of services deployed to your Kubernetes cluster.
Upgraded HAProxy
- This version upgrades to HAProxy 2.5 as the underlying load balancer engine.
Security enhancements
- The ingress controller process now runs as a non-root user inside its Docker container while keeping the ability to bind to privileged ports 80 and 443.
- The annotations
blacklist
andwhitelist
, which you can use to allow or deny ranges of IP addresses, now accept a file that stores the IP addresses. - The new annotation
client-strict-sni
returns an error if no certificate is found for a client SNI.
Debugging
- Since version 1.7, if you include the
--pprof
startup argument the ingress controller exposes pprof debug data at port 6060 at the URL path/debug/pprof
. Now you can change the port by specifying the--controller-port
argument. - If you set the startup argument
--prometheus
, new Prometheus metrics are exposed at port 6060 at the URL path/metrics
. They include diagnostic information such as the amount of memory allocated to the process and CPU time spent.
Do you have any suggestions on how we can improve the content of this page?