Skip to content

HAProxy Data Plane API v3.4.0

Latest

Choose a tag to compare

@github-actions github-actions released this 01 Jul 14:06

HAProxy Data Plane API v3.4.0 Release Notes

Key changes in the HAProxy Data Plane API 3.4 release include:

The 3.4 release rewrites the API server from go-swagger to a chi router with
oapi-codegen generated handlers (OpenAPI 3) and adds full configuration support
for HAProxy 3.4. Endpoint paths, methods, parameters and success responses are
unchanged, but a small number of intentional client-visible behavior changes are
documented below and in UPGRADE.md.

Major Changes

API Server Migration: go-swagger → chi / oapi-codegen

  • Replaced the go-swagger generated DataPlaneAPI server with a chi router and
    oapi-codegen generated handlers (OpenAPI 3).
  • Migrated all handlers to oapi-codegen and moved the path specification out of
    client-native into dataplaneapi, with new specification-generation tooling.
  • Removed the now-unused operations folder and deprecated generation code.
  • Documented the client-visible behavior changes in UPGRADE.md (see Breaking
    Changes below).

Breaking Changes

  • Error body code mirrors the HTTP status. Validation failures that
    previously carried go-swagger internal codes in the body (e.g. {"code": 606}
    with HTTP 422) now return the HTTP status in the body ({"code": 422}). Clients
    matching on the old 6xx body codes must switch to the HTTP status.
  • Raw configuration endpoints are text-only.
    POST /services/haproxy/configuration/raw accepts only text/plain bodies; the
    previous (accidental) JSON-encoded-string body is no longer accepted, and error
    responses are now application/json instead of text/plain.
  • Unmatched paths require authentication. Basic auth is enforced in front of
    the router, so an unauthenticated request to a non-existent path now returns
    401 instead of 404.
  • SSL certificate DELETE can return 204.
    DELETE /services/haproxy/storage/ssl_certificates/{name} without
    skip_reload/force_reload now removes via the runtime API and returns 204
    on success, falling back to 202 with a Reload-ID header. Treat both as
    success.
  • Request bodies are capped at 1 GiB by default. Bodies exceeding the limit
    are rejected with 413. Configurable via --max-body-size (max_body_size);
    0 disables it.
  • Replacing acme, log_profiles, crt_stores, mailers_section and
    http_errors_sections now triggers a reload.
    These PUT endpoints previously
    wrote the change without scheduling a reload; they now follow the standard
    pattern (202 with Reload-ID, or 200 with force_reload=true).
  • Removed deprecated process-manager (program) endpoints, following the
    removal of the program section from HAProxy.
  • Removed unused cluster endpoints.
  • Removed deprecated --log-* / --syslog-* CLI options and the persisted
    log storage section, superseded by the log_targets configuration. When no
    log targets are configured, the API defaults to a stdout target.

See UPGRADE.md for the complete list of behavior changes and the chi router
compatibility shims (JSON error bodies, Allow header on 405, trailing-slash
handling, Reload-ID header spelling).

New Features

Health Check Section

  • Added full CRUD support for the HAProxy healthcheck section, including
    handlers and oapi-codegen specification (dataplaneapi) and configuration,
    parser and specification support (client-native).

Force Backend Switching

  • Added support for the force-be-switch frontend rule, with a registered
    handler (dataplaneapi) and parser/configuration support (client-native).

HAProxy 3.4 Configuration Support (client-native)

  • Added HAProxy 3.4 proxy options, global process options and global tune
    options.
  • Added headers-bin HTTP rule actions.
  • Added filter-sequence and comp-req / comp-res filters.
  • Extended set-timeout, do-log and filter trace for HAProxy 3.4.
  • Added the quic-cc-algo server directive.
  • Added the shards and tcp-ss bind options.
  • Added the fd-hard-limit global option.
  • Added 4 new tunable keywords for HAProxy 3.4.
  • Allowed HAProxy variables in object name fields.
  • Removed the deprecated req_ssl_sni, replaced by req.ssl_sni.

ACME

  • Added support for the dns-persist-01 ACME challenge (client-native).
  • Added the profile ACME keyword (client-native).
  • Added new ACME keywords for HAProxy 3.4 (client-native).
  • Allowed setting the DNS TTL via acme-vars (dataplaneapi).

Runtime

  • Added all supported server parameters to the runtime server handler
    (dataplaneapi).
  • Added all fields for the runtime server, added server weight and made the
    address editable (client-native).
  • Improved HAProxy runtime version checks and allowed ExecuteRaw to run
    multiple commands at once (client-native).

Server and Request Handling

  • Added a configurable request body size limit via --max-body-size
    (default 1 GiB).
  • Stream multipart uploads instead of buffering them in memory.
  • Exposed the client-native validate_files_before option.

Bug Fixes

Data Plane API

  • Trigger a reload when replacing an http-errors section.
  • Fixed data races, a goroutine leak and reconnect logic in the events listener.
  • Fixed a nil-dereference panic in the events listener Stop().
  • ACME: fixed saving certificates into a crt-store.
  • ACME: increased the default TTL to 1 minute.
  • Fixed ACME dns-01 propagation checks.
  • Return the correct error code when adding duplicates into a map file.
  • Ignore empty runtime API commands.

Configuration and Serialization (client-native)

  • Fixed crashes and non-idempotent serialization.
  • Order the fcgi-app section before proxies.
  • Set the log-profile metadata comment on the right section.
  • Preserve quoting of log-profile step sd/format.
  • Fixed serialization of the ACME provider-name.
  • Added " to name regexes to support variable names.
  • Dropped the RSA-only bits minimum for ACME.
  • Fixed read-only fields for the SSL certificate resource.
  • Generate the specification with the proper template.
  • Fixed a typo in specification description fields.
  • Fixed force-be-switch rule parsing and parts condition.
  • crt_store: fixed the section to match the v3 URL structure.
  • userlists: fixed ordering of users in serialization.
  • dgram-bind: fixed IPv6 address parsing and serialization.
  • server: don't set the port to 0 when it is not set.
  • Fixed a typo and a boolean type in the runtime server.
  • raw: use the custom validation command on validate-only.

Runtime (client-native)

  • Ensure heredoc payloads have a blank-line terminator.
  • Fixed a data race on lastError causing a nil-pointer panic.
  • Fixed an EventListener Close() deadlock and channel panic.
  • Reject special characters in filenames.
  • Get the real storage name of certificates.

Other Changes

Build and Dependencies

  • Upgraded Go to 1.26.
  • Upgraded golangci-lint and fixed the resulting linting errors.
  • Upgraded the client-native library to v6.4.0.
  • Updated AWS SDK, golang.org/x, go-openapi and gRPC packages.
  • Added specification-generation support and updated codegen dependencies.
  • client-native: upgraded go-method-gen to v0.1.4 and handled interface types
    in the struct-equal generator.

Testing

  • Migrated e2e fixtures to log_targets.
  • Added e2e and unit tests for the healthcheck section, the auth middleware and
    the respond helpers.
  • Fixed stale endpoint paths and assertions; raw endpoints no longer send JSON;
    moved crt-list tests to the proper URL.
  • Fixed a flaky SSL storage test and a syntax error in the e2e groups test.

CI/CD

  • Require pipelines-check for all jobs and added JUnit reporting.
  • Added check-dependencies and check-committer jobs.
  • Use the latest-alpine golang image; removed the check-large-files job;
    bumped the commit-check version.

Documentation

  • Documented the client-visible changes from the go-swagger migration in
    UPGRADE.md.
  • Removed the deprecated log section from the example-full configuration.

HAProxy Compatibility

This release supports HAProxy 3.4 and later versions.

Contributors

Contributor Area
Marko Juraga FEATURE | BUG | BUILD | CLEANUP | DOC | TEST
Olivier Duclos FEATURE | BUG | BUILD | TEST
Robert Maticevic FEATURE | BUG | BUILD | CLEANUP | DOC | REORG | TEST
ahusic FEATURE | BUILD | TEST
Zlatko Bratkovic FEATURE | BUILD
Ivan Matmati FEATURE | BUILD
Andjelko Iharos BUG
AdamJCrawford FEATURE
Dario Tranchitella BUG
Helene Durand FEATURE
Pierre-Alain SIMON FEATURE
Dinko Korunic BUG