[ANNOUNCE] haproxy-ingress v0.15.0
1 view
Skip to first unread message
Joao Morais
Oct 15, 2025, 7:59:44 AM10/15/25
to haproxy...@googlegroups.com
HAProxy Ingress v0.15.0 is here!
This is the first stable release of the v0.15 branch. See below
changes from the `v0.14` version.
Major improvements:
* Embedded HAProxy upgrade from 2.4 to 2.6.
* Change from a legacy controller engine component to
[controller-runtime](https://github.com/kubernetes-sigs/controller-runtime).
* Improvements on Gateway API: v1 API and TCPRoute support
* Integration tests
* Dark theme in the documentation
Backward compatibility changes from v0.14:
* HAProxy Ingress used to start as root by default up to v0.14.
Starting on v0.15 the controller container starts as the non root user
`haproxy`, UID `99`. This change should impact deployments that need
to start as root, e.g. chroot enabled, binding on privileged TCP ports
(1024 or below) on old container runtimes, etc. Workloads that need to
run as root can, despite the security risk, configure the security
context in the deployment resource or Helm chart to enforce starting
user as root. See the [security
doc](https://haproxy-ingress.github.io/v0.15/docs/configuration/keys/#security)
for configuration examples.
* Besides starting as non root, the `haproxy` user ID changed from
`1001` to `99`. The former `1001` UID was chosen and created in a day
`docker.io/haproxy` container image started as root (2.3 and older).
Starting from 2.4 the `haproxy` user was added as UID `99`. In v0.15
we started to use the same UID, so file systems shared between
controller and haproxy doesn't have permission issues.
* Election ID was changed, see the
[documentation](https://haproxy-ingress.github.io/v0.15/docs/configuration/command-line/#election-id)
for customization options. Election ID is used by embedded Acme signer
and status updater to, respectively, request certificates and update
ingress status. A cluster of HAProxy Ingress controllers will elect
two controllers at the same time during the rolling update from any
other version to v0.15. Ingress status does not have an impact. See
[Upgrading with embedded Acme](#upgrading-with-embedded-acme) below
for details about upgrading with embedded Acme signer enabled.
* Master worker mode is now enabled by default, see the
[documentation](https://haproxy-ingress.github.io/v0.15/docs/configuration/command-line/#master-worker).
This mode starts a master HAProxy process in foreground, which
controls the worker processes.
* Helm chart has now a distinct field for the registry of an image,
which should impact charts that configure custom repositories. See
[Upgrading with custom
repositories](#upgrading-with-custom-repositories) below for the
details.
* Log debug level is enabled by default. HAProxy Ingress has a good
balance between low verbosity and useful information on its debug
level.
* EndpointSlices API is enabled by default, anticipating the
deprecation of Endpoints API since Kubernetes 1.33.
* Due to EndpointSlices API enabled by default, the minimal supported
Kubernetes version is 1.21 in the default configuration.
* Default image for the log sidecar changed from
`whereisaaron/kube-syslog-sidecar` to
`ghcr.io/crisu1710/kube-syslog-sidecar:0.2.0`. It is the same
codebase, just adding support for multiple architectures.
From `v0.15.0-beta.2`, this release updates the embedded haproxy
version, which fixes CVE-2025-11230, see HAProxy release notes
https://www.mail-archive.com/hap...@formilux.org/msg46189.html .
Other issues were also found and fixed:
- Chitoku found a regression on some certificate related annotations
not working with the `file://` protocol, after implementing global
support on those annotations.
- Artyom found the fronting-proxy configuration overwriting the
`X-Forwarded-Proto` header when both the fronting proxy and the
regular HTTP shares the same TCP port number.
Dependencies:
- embedded haproxy from 2.6.22 to 2.6.23
- go from 1.23.12 to 1.24.7
Links and refs of this release:
* Changelog: https://github.com/jcmoraisjr/haproxy-ingress/blob/master/CHANGELOG/CHANGELOG-v0.15.md#v0150
* GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.15.0
* Release date: 2025-10-15
* Helm chart: --version 0.15.0
* Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.15.0
* Image (Docker Hub): docker.io/jcmoraisjr/haproxy-ingress:v0.15.0
* Embedded HAProxy version: 2.6.23
New fixes and improvements since v0.15.0-beta.2:
* fix reading backend ca certificate from file [#1297] (jcmoraisjr)
* fix xfp header on fronting proxy shared port [#1310] (jcmoraisjr)
* update dependencies [a97f3c3] (Joao Morais)
* update haproxy from 2.6.22 to 2.6.23 [27cda7c] (Joao Morais)
* update go from 1.23.12 to 1.24.7 [266cbba] (Joao Morais)
This is the first stable release of the v0.15 branch. See below
changes from the `v0.14` version.
Major improvements:
* Embedded HAProxy upgrade from 2.4 to 2.6.
* Change from a legacy controller engine component to
[controller-runtime](https://github.com/kubernetes-sigs/controller-runtime).
* Improvements on Gateway API: v1 API and TCPRoute support
* Integration tests
* Dark theme in the documentation
Backward compatibility changes from v0.14:
* HAProxy Ingress used to start as root by default up to v0.14.
Starting on v0.15 the controller container starts as the non root user
`haproxy`, UID `99`. This change should impact deployments that need
to start as root, e.g. chroot enabled, binding on privileged TCP ports
(1024 or below) on old container runtimes, etc. Workloads that need to
run as root can, despite the security risk, configure the security
context in the deployment resource or Helm chart to enforce starting
user as root. See the [security
doc](https://haproxy-ingress.github.io/v0.15/docs/configuration/keys/#security)
for configuration examples.
* Besides starting as non root, the `haproxy` user ID changed from
`1001` to `99`. The former `1001` UID was chosen and created in a day
`docker.io/haproxy` container image started as root (2.3 and older).
Starting from 2.4 the `haproxy` user was added as UID `99`. In v0.15
we started to use the same UID, so file systems shared between
controller and haproxy doesn't have permission issues.
* Election ID was changed, see the
[documentation](https://haproxy-ingress.github.io/v0.15/docs/configuration/command-line/#election-id)
for customization options. Election ID is used by embedded Acme signer
and status updater to, respectively, request certificates and update
ingress status. A cluster of HAProxy Ingress controllers will elect
two controllers at the same time during the rolling update from any
other version to v0.15. Ingress status does not have an impact. See
[Upgrading with embedded Acme](#upgrading-with-embedded-acme) below
for details about upgrading with embedded Acme signer enabled.
* Master worker mode is now enabled by default, see the
[documentation](https://haproxy-ingress.github.io/v0.15/docs/configuration/command-line/#master-worker).
This mode starts a master HAProxy process in foreground, which
controls the worker processes.
* Helm chart has now a distinct field for the registry of an image,
which should impact charts that configure custom repositories. See
[Upgrading with custom
repositories](#upgrading-with-custom-repositories) below for the
details.
* Log debug level is enabled by default. HAProxy Ingress has a good
balance between low verbosity and useful information on its debug
level.
* EndpointSlices API is enabled by default, anticipating the
deprecation of Endpoints API since Kubernetes 1.33.
* Due to EndpointSlices API enabled by default, the minimal supported
Kubernetes version is 1.21 in the default configuration.
* Default image for the log sidecar changed from
`whereisaaron/kube-syslog-sidecar` to
`ghcr.io/crisu1710/kube-syslog-sidecar:0.2.0`. It is the same
codebase, just adding support for multiple architectures.
From `v0.15.0-beta.2`, this release updates the embedded haproxy
version, which fixes CVE-2025-11230, see HAProxy release notes
https://www.mail-archive.com/hap...@formilux.org/msg46189.html .
Other issues were also found and fixed:
- Chitoku found a regression on some certificate related annotations
not working with the `file://` protocol, after implementing global
support on those annotations.
- Artyom found the fronting-proxy configuration overwriting the
`X-Forwarded-Proto` header when both the fronting proxy and the
regular HTTP shares the same TCP port number.
Dependencies:
- embedded haproxy from 2.6.22 to 2.6.23
- go from 1.23.12 to 1.24.7
Links and refs of this release:
* Changelog: https://github.com/jcmoraisjr/haproxy-ingress/blob/master/CHANGELOG/CHANGELOG-v0.15.md#v0150
* GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.15.0
* Release date: 2025-10-15
* Helm chart: --version 0.15.0
* Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.15.0
* Image (Docker Hub): docker.io/jcmoraisjr/haproxy-ingress:v0.15.0
* Embedded HAProxy version: 2.6.23
New fixes and improvements since v0.15.0-beta.2:
* fix reading backend ca certificate from file [#1297] (jcmoraisjr)
* fix xfp header on fronting proxy shared port [#1310] (jcmoraisjr)
* update dependencies [a97f3c3] (Joao Morais)
* update haproxy from 2.6.22 to 2.6.23 [27cda7c] (Joao Morais)
* update go from 1.23.12 to 1.24.7 [266cbba] (Joao Morais)
Reply all
Reply to author
Forward
0 new messages