Changelog v0.9-beta.1

CHANGELOG.md

@@ -1,5 +1,126 @@
 # CHANGELOG
 
+## v0.9
+
+### v0.9-beta.1
+
+Breaking backward compatibility from [v0.8](#v08):
+
+* TLS 1.0 and 1.1 was dropped in the default configuration. Several cipher suites was dropped as well, mostly non ephemeral key exchange algorithms. This might break old http clients. See the v0.8 default values in the [SSL cipher suite](https://haproxy-ingress.github.io/docs/configuration/keys/#ssl-ciphers) and [SSL options](https://haproxy-ingress.github.io/docs/configuration/keys/#ssl-options) docs and adjust the configuration if needed.
+* Some default configurations was changed to improve performance of a vanilla deployment, this might cause unexpected behaviour:
+  * Default `dynamic-scaling` configuration key was changed from `false` to `true`
+  * Default `nbthread` configuration key was changed from `1` to `2`
+  * Default `--reload-strategy` command-line option was changed from `native` to `reusesocket`
+
+Highlights of this version:
+
+* HAProxy upgrade from 1.8 to 1.9
+* HTTP/2 support in the backend side
+* TLS 1.3 support
+* Certificate update using ACME-v2 protocol
+* Hability to run as non-root, see the [security](https://haproxy-ingress.github.io/docs/configuration/keys/#security) doc
+
+New features:
+
+* Use one bind per frontend [#382](https://github.com/jcmoraisjr/haproxy-ingress/pull/382)
+* Update to haproxy 1.9.10 [#381](https://github.com/jcmoraisjr/haproxy-ingress/pull/381)
+* Add h2 backend proto and use-htx global option [#387](https://github.com/jcmoraisjr/haproxy-ingress/pull/387)
+  * Configuration keys:
+    * `ingress.kubernetes.io/backend-protocol` - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#backend-protocol)
+    * `use-htx` - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#use-htx)
+* Make sni optional if a certificate is optional and is not provided [#392](https://github.com/jcmoraisjr/haproxy-ingress/pull/392)
+* Add custom-frontend snippet to http:80 frontend [#395](https://github.com/jcmoraisjr/haproxy-ingress/pull/395)
+* Join samples using concat [#393](https://github.com/jcmoraisjr/haproxy-ingress/pull/393)
+* Use 421 response if sni and headers does not match [#394](https://github.com/jcmoraisjr/haproxy-ingress/pull/394)
+* Add syslog-length configmap option [#396](https://github.com/jcmoraisjr/haproxy-ingress/pull/396) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#syslog)
+  * Configuration keys:
+    * `ingress.kubernetes.io/syslog-length`
+* Add CRL Support in the TLS Secret for Client Authentication [#328](https://github.com/jcmoraisjr/haproxy-ingress/pull/328)
+* Add CRL support in the new controller [#399](https://github.com/jcmoraisjr/haproxy-ingress/pull/399)
+  * Configuration keys:
+    * `ingress.kubernetes.io/auth-tls-secret` - new optional file `ca.crl` - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#auth-tls)
+    * `ingress.kubernetes.io/secure-verify-ca-secret` - new optional file `ca.crl` - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#secure-backend)
+* Add per request deployment group selection - blue/green deployment [#402](https://github.com/jcmoraisjr/haproxy-ingress/pull/402) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#blue-green)
+  * Configuration keys:
+    * `ingress.kubernetes.io/blue-green-cookie`
+    * `ingress.kubernetes.io/blue-green-header`
+* Sort ingress using creation timestamp [#405](https://github.com/jcmoraisjr/haproxy-ingress/pull/405)
+* Update default TLS versions and ciphers for client and server connections [#403](https://github.com/jcmoraisjr/haproxy-ingress/pull/403) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#ssl-ciphers)
+  * Configuration keys:
+    * `ssl-cipher-suites`
+    * `ssl-cipher-suites-backend`
+    * `ssl-ciphers-backend`
+* Update to haproxy 1.9.11 [#406](https://github.com/jcmoraisjr/haproxy-ingress/pull/406)
+* Add session-cookie-shared [#419](https://github.com/jcmoraisjr/haproxy-ingress/pull/419)
+* Add dynamic-scaling false option [#420](https://github.com/jcmoraisjr/haproxy-ingress/pull/420)
+* Improve sorting of internal state [#423](https://github.com/jcmoraisjr/haproxy-ingress/pull/423)
+* Tuning default thread number and reload strategy [#424](https://github.com/jcmoraisjr/haproxy-ingress/pull/424)
+* Add leader election [#431](https://github.com/jcmoraisjr/haproxy-ingress/pull/431)
+* Add work queue [#430](https://github.com/jcmoraisjr/haproxy-ingress/pull/430)
+* Add forwardfor option - update [#437](https://github.com/jcmoraisjr/haproxy-ingress/pull/437) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#forwardfor)
+  * Configuration keys:
+    * `ingress.kubernetes.io/forwardfor` - new option `update`
+* Add support for Mod Security DetectionOnly Mode [#443](https://github.com/jcmoraisjr/haproxy-ingress/pull/443) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#waf)
+  * Configuration keys:
+    * `ingress.kubernetes.io/waf-mode`
+* Add initial-weight config key [#444](https://github.com/jcmoraisjr/haproxy-ingress/pull/444)
+* Improve fronting proxy config [#434](https://github.com/jcmoraisjr/haproxy-ingress/pull/434)
+* Update Go version and use Go mod [#439](https://github.com/jcmoraisjr/haproxy-ingress/pull/439)
+* Update to haproxy 1.9.12 [#446](https://github.com/jcmoraisjr/haproxy-ingress/pull/446)
+* Initialize leader election only if needed [#447](https://github.com/jcmoraisjr/haproxy-ingress/pull/447)
+* Add ip+port bind support for http/https/fronting-proxy [#452](https://github.com/jcmoraisjr/haproxy-ingress/pull/452)
+* Add failure rate limit on work queue [#457](https://github.com/jcmoraisjr/haproxy-ingress/pull/457)
+* Customizeable goarch [#472](https://github.com/jcmoraisjr/haproxy-ingress/pull/472)
+* dumb-init added from alpine repo [#471](https://github.com/jcmoraisjr/haproxy-ingress/pull/471)
+* Add acme v02 support [#391](https://github.com/jcmoraisjr/haproxy-ingress/pull/391)
+  * Configuration keys - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#acme):
+    * `acme-emails`
+    * `acme-endpoint`
+    * `acme-expiring`
+    * `acme-shared`
+    * `acme-terms-agreed`
+    * `ingress.kubernetes.io/cert-signer`
+  * Command-line options - [doc](https://haproxy-ingress.github.io/docs/configuration/command-line/#acme):
+    * `--acme-check-period`
+    * `--acme-election-id`
+    * `--acme-fail-initial-duration`
+    * `--acme-fail-max-duration`
+    * `--acme-secret-key-name`
+    * `--acme-server`
+    * `--acme-token-configmap-name`
+    * `--acme-track-tls-annotation`
+* Update to haproxy 1.9.13 [#475](https://github.com/jcmoraisjr/haproxy-ingress/pull/475)
+* Update dependencies to k8s 1.16.3 [#474](https://github.com/jcmoraisjr/haproxy-ingress/pull/474)
+* Add 4xx error pages and CORS Preflight as Lua services [#481](https://github.com/jcmoraisjr/haproxy-ingress/pull/481)
+* Check acme account before retrieving [#479](https://github.com/jcmoraisjr/haproxy-ingress/pull/479)
+* Improve equality comparison with acme changes [#478](https://github.com/jcmoraisjr/haproxy-ingress/pull/478)
+* Add security options [#484](https://github.com/jcmoraisjr/haproxy-ingress/pull/484) - [doc](https://haproxy-ingress.github.io/docs/configuration/keys/#security)
+  * Configuration keys:
+    * `use-chroot`
+    * `use-haproxy-user`
+
+Fixes:
+
+* Fix case on requests from 80/http [#425](https://github.com/jcmoraisjr/haproxy-ingress/pull/425)
+* Fix case on per-path backend requests [#427](https://github.com/jcmoraisjr/haproxy-ingress/pull/427)
+* Fix cross-namespace command-line option [#433](https://github.com/jcmoraisjr/haproxy-ingress/pull/433)
+* Fix host match with a port number [#436](https://github.com/jcmoraisjr/haproxy-ingress/pull/436)
+* Fix hostname match of domains with client cert auth [#453](https://github.com/jcmoraisjr/haproxy-ingress/pull/453)
+* Fix panic reading empty targetRef from ep [#455](https://github.com/jcmoraisjr/haproxy-ingress/pull/455)
+* Fix txn.namespace on http requests [#463](https://github.com/jcmoraisjr/haproxy-ingress/pull/463)
+* Do ssl-redirect only if tls declares the hostname [#465](https://github.com/jcmoraisjr/haproxy-ingress/pull/465)
+* Fix case on per-path backend maps [#466](https://github.com/jcmoraisjr/haproxy-ingress/pull/466)
+* Use the found match pattern [#468](https://github.com/jcmoraisjr/haproxy-ingress/pull/468)
+* Improve response error on sni mismatch [#470](https://github.com/jcmoraisjr/haproxy-ingress/pull/470)
+* Fix haproxy.cfg permissions [#476](https://github.com/jcmoraisjr/haproxy-ingress/pull/476)
+
+Docs:
+
+* docs: update deployment and DaemonSet APIs to apps/v1 [#415](https://github.com/jcmoraisjr/haproxy-ingress/pull/415)
+* docs: starting version [#417](https://github.com/jcmoraisjr/haproxy-ingress/pull/417)
+* docs: update deploy and ds api to apps/v1 [#422](https://github.com/jcmoraisjr/haproxy-ingress/pull/422)
+* docs: defaults for cors-allow-methods and -headers [#445](https://github.com/jcmoraisjr/haproxy-ingress/pull/445)
+
 ## v0.8
 
 ### v0.8-beta.1
@@ -36,7 +157,7 @@ Fixes and improvements since [v0.7](#v07):
 * Fix port retrieval for terminatingPod with named targetPort [#331](https://github.com/jcmoraisjr/haproxy-ingress/pull/331)
 * Disable HTTP Basic Auth on CORS pre-flight OPTIONS request [#356](https://github.com/jcmoraisjr/haproxy-ingress/pull/356)
 * Configure annotation prefix - [doc](/README.md#annotation-prefix)
-  * Configmap options:
+  * Command-line options:
     * `--annotations-prefix`
 * Agent check [#287](https://github.com/jcmoraisjr/haproxy-ingress/pull/287) - [doc](/README.md#agent-check)
   * Annotations or configmap options (without prefix):