Release notes

The release notes give you an overview of the what’s new, updated, and removed in this version of HAProxy Enterprise Kubernetes Ingress Controller.

Version 1.11 Jump to heading #

Key changes in the HAProxy Enterprise Kubernetes Ingress Controller 1.11 release include:

Upgraded HAProxy Enterprise

• This version upgrades to HAProxy Enterprise 2.8r1 as the underlying load balancer engine.

Custom Resource Definitions graduated to v1

• The backend, defaults, and global custom resource definitions that were introduced in version 1.7 provide a number of benefits compared to using annotations in an Ingress resource. These CRDs allow you to customize the ingress controller in a more expressive way, since CRDs support booleans, strings, integers, enums, arrays, and objects. They also ensure better validation, readability, and versioning of your configuration settings. In version 1.11, the CRDs leave the alpha designation and graduate to v1. They now support all HAProxy configuration options.
• In this version, the API group also changed. Instead of using apiVersion: "core.haproxy.org/v1alpha2" in your custom resources you will use apiVersion: "ingress.v1.haproxy.com/v1", although the old group will still be supported. When migrating to v1, be sure to update your RBAC rules to accomodate this new group.
• An invalid CRD resource will now display an error message when you try to apply it with kubectl, helping you to catch errors earlier before they can go to production.
• Version 1.11 deprecates the alpha1 and alpha2 CRD versions. Support for them may be removed in a future version of the ingress controller.
• A new startup argument --job-check-crd runs a one-time job that updates your CRDs. When you run Helm to install the ingress controller, this argument is automatic so that the job runs once during installation.

QUIC support

• Version 1.11 adds limited support for the QUIC protocol. It will be enabled automatically if you use TLS via the --default-ssl-certificate argument. To disable it, set --disable-quic. You can also change the ports QUIC uses by setting --quic-bind-port and --quic-announce-port. Also, the --quic-alt-svc-max-age lets you change the Alt-Svc HTTP header.

Upgraded s6-overlay

• This version upgrades s6-overlay, which is the init system we use in the container, to version v3.

Port changes

• The HTTP and HTTPS ports on which the ingress controller listens have changed from 80 and 443 to 8080 and 8443, respectively. Mostly, this will affect those who run the ingress controller in external mode. You can change the ports with the --http-bind-port and --https-bind-port startup arguments.

Logging

• All log messages now contain a unique transaction ID to make it easier to trace back and troubleshoot errors.
• A new ConfigMap option named log-format-tcp lets you set the format for TCP traffic logs. This applies to the TCP ConfigMap defined by the --configmap-tcp-services startup argument.

Config snippets

• You can now disable config snippets with the --disable-config-snippets startup argument. It accepts a comma-separated list of any of the following values: backend, frontend, global, and all. For example, a value of --disable-config-snippets=all would disable the following annotations:

  • backend-config-snippet
  • frontend-config-snippet
  • global-config-snippet

Standalone backends

• You can now instruct the ingress controller to create a separate backend for an Ingress resource by setting the standalone-backend annotation. Although this will likely be uncommon, you could use this to allow more customization per ingress.

Security context

• The securityContext section of the ingress controller’s Deployment resource has changed. It now sets runAsNonRoot, allowPrivilegeEscalation, and seccompProfile as follows:

  yaml
  securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    runAsUser:  1000
    runAsGroup: 1000
    capabilities:
      drop:
        - ALL
      add:
        - NET_BIND_SERVICE
    seccompProfile:
      type: RuntimeDefault

  yaml
  securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    runAsUser:  1000
    runAsGroup: 1000
    capabilities:
      drop:
        - ALL
      add:
        - NET_BIND_SERVICE
    seccompProfile:
      type: RuntimeDefault

Deprecated features

• In this version, the whitelist and blacklist annotations have been deprecated and may be removed in a future version. Please migrate to the allow-list and deny-list annotations.

Version 1.10 Jump to heading #

Key changes in the HAProxy Enterprise Kubernetes Ingress Controller 1.10 release include:

Upgraded HAProxy

• This version upgrades to HAProxy Enterprise 2.7r1 as the underlying load balancer engine.

New tech dump feature

• A new feature for getting a tech dump will assist in troubleshooting.

Dropped support for Beta versions of Ingress

• We no longer support the deprecated Kubernetes APIs extensions/v1beta1 and networking.k8s.io/v1beta1 on Ingress resources. Instead, use networking.k8s.io/v1.

Matching of CPU quotas

• The ingress controller now sets its GOMAXPROCS variable to match the match the Linux container’s CPU quota, providing better performance.

Gateway API (TCPRoute)

• Added support for the TCPRoute resource in Gateway API. This provides a new way of routing TCP traffic, as an alternative to the --configmap-tcp-services startup argument.

Version 1.9 Jump to heading #

Key changes in the HAProxy Enterprise Kubernetes Ingress Controller 1.9 release include:

Upgraded HAProxy Enterprise

• This version upgrades to HAProxy Enterprise 2.6 as the underlying load balancer engine.

Prometheus metrics for config snippets

• The Prometheus endpoint, which provides network traffic metrics, now includes metrics that will help when troubleshooting config snippets. Errors in config snippet files can prevent them from loading. The metric haproxy_active_backend_config_snippets shows successfully loaded, active config snippets; haproxy_inactive_backend_config_snippets shows inactive snippets that didn’t load correctly; haproxy_unable_to_sync_configuration shows a 1 if any config snippet are inactive or a 0 otherwise.

RedHat Docker image

• You can now deploy the ingress controller’s RedHat Enterprise Linux Docker image, hapee-ingress-ubi.

External mode configuration file

• You can store startup arguments in a YAML file when running in external mode. Use the startup argument --config-file to set the YAML file to load.

Other improvements

• The Global, Defaults, and Backend custom resources received minor updates.
• We added trace logs for endpoints and servers. Set the startup argument --log=trace to see trace-level logs.

Version 1.8 Jump to heading #

Key changes in the HAProxy Enterprise Kubernetes Ingress Controller 1.8 release include:

New configuration file

• Startup arguments that previously had to be set as command-line arguments can now be saved in a YAML file by using the --config-file argument, promoting reusability.

Default backend

• When no ingress rules match, the ingress controller displays a default Not Found web page. To enable this in prior versions, you had to set the startup argument --default-backend-service. This is no longer necessary. The ingress controller will self host a web page for this purpose, reducing the number of services deployed to your Kubernetes cluster.

Upgraded HAProxy Enterprise

• This version upgrades to HAProxy Enterprise 2.5 as the underlying load balancer engine.

Security enhancements

• The ingress controller process now runs as a non-root user inside its Docker container while keeping the ability to bind to privileged ports 80 and 443.
• The annotations blacklist and whitelist, which you can use to allow or deny ranges of IP addresses, now accept a file that stores the IP addresses.
• The new annotation client-strict-sni returns an error if no certificate is found for a client SNI.

Debugging

• Since version 1.7, if you include the --pprof startup argument the ingress controller exposes pprof debug data at port 6060 at the URL path /debug/pprof. Now you can change the port by specifying the --controller-port argument.
• If you set the startup argument --prometheus, new Prometheus metrics are exposed at port 6060 at the URL path /metrics. They include diagnostic information such as the amount of memory allocated to the process and CPU time spent.