doc.yaml

active_version: 3.0
image_arguments:
  - argument: --configmap
    description: Sets the ConfigMap object that defines global settings for the ingress controller. An empty ConfigMap is deployed by default and you can see its name by calling <code>kubectl get configmaps</code>. You can either override the default ConfigMap with your own object that uses the same name, or you can set this argument to point to a different ConfigMap. See the ConfigMap Options to learn which values you can store in the ConfigMap.
    values:
      - The name of the ConfigMap that contains global settings. Defaults to `default/haproxy-configmap`
    default: default/haproxy-configmap
    version_min: "1.4"
    example: --configmap=default/my-configmap
  - argument: --job-check-crd
    description: Special mode for controller that checks if the CRDs are installed and are on latest version. Note that this will not run ingress controller, it just checks if CRDs are OK and exits
    values:
      - this is boolean flag
    default: false
    version_min: "1.9"
    example: --job-check-crd
  - argument: --configmap-tcp-services
    tip:
      - Ports of TCP services should be exposed on the controller's Kubernetes service
    description: |-
      Sets the ConfigMap that contains mappings for TCP services to proxy through the ingress controller. This ConfigMap contains mappings like this:

      ```yaml
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: tcp
        namespace: haproxy-controller
      data:
        3306:                    # Port where the frontend is going to listen to.
          mysql-ns/mysql:3306    # Kubernetes service in the format NS/ServiceName:ServicePort
        389:
          ldap-ns/ldap:389:ssl   # ssl option will enable ssl offloading for target service.
        6379:
          redis-ns/redis:6379
      ```
    values:
      - The name of the ConfigMap that contains mappings for TCP services
    version_min: "1.4"
    example: --configmap-tcp-services=default/my-tcpservices-configmap
  - argument: --configmap-errorfiles
    description: |-
      Sets the ConfigMap object that defines contents to serve instead of HAProxy errors.
      As explained in the [haproxy documentation](https://docs.haproxy.org/2.8/configuration.html#4.2-errorfile) it is important to understand that errorfile content is not meant to rewrite errors returned by the server, but rather errors detected and returned by HAProxy.
      In the following example, instead of HAProxy returning a 503 error, it will return the corresponding content in the ConfigMap:

      ```yaml
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: errorfile
        namespace: haproxy-controller
      data:
        503: |-
          HTTP/1.0 503 Service Unavailable
          Cache-Control: no-cache
          Connection: close
          Content-Type: text/html

          <html><body><h1>Oops, that's embarrassing!</h1>
          There are no servers available to handle your request.
          </body></html>
      ```
    values:
      - The name of the ConfigMap containing errorfile content
    version_min: "1.5"
    example: --configmap-errorfiles=default/errorfile
  - argument: --configmap-patternfiles
    description: |-
      Sets the ConfigMap object that defines pattern files to be used in HAProxy configuration.
      Controller will create corresponding files and update them when ConfigMap is updated.
      Pattern files are particularly useful for [HAProxy ACLs](https://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.1) where we can load patterns from file.
      The following example will load two pattern files:
      ```
      % cat /tmp/ips
      127.0.0.1
      10.0.0.0/8
      1.2.3.4/24
      ```
      ```
      % cat /tmp/names
      foo
      bar
      toto
      bidule
      ```

      ```
      kubectl create -n default configmap acl-patterns --from-file=/tmp/ips --from-file=/tmp/names
      ```
      The resulting configmap will be:

      ```yaml
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: acls-patterns
        namespace: haproxy-controller
      data:
        ips: |
          127.0.0.1
          10.0.0.0/8
          1.2.3.4/24
        names: |
          foo
          bar
          toto
          bidule
      ```
      Pattern files are useful in [config-snippets](./README.md#config-snippet). Example:
      ```
      backend-config-snippet: |
        http-request deny if !{ src -f patterns/ips }
      ```
    tip:
      - In order to use pattern files, the target file **should be prefixed with "patterns/"**
    values:
      - The name of the ConfigMap in format NS/ConfigMapName
    version_min: "1.8"
    example: --configmap-patternfiles=default/acl-patterns
  - argument: --default-backend-service
    description: |-
      The name of the Kubernetes service to send requests to when no Ingress rules match.
      By default, it uses the builtin HTTP backend.
    values:
      - The name of the backend service
    version_min: "1.4"
    example: --default-backend-service=default/my-default-service
  - argument: --default-backend-port
    description: if default-backend-service is not used with this you can set default port used for same purpose
    values:
      - port that will be used for default service within controller pod
    version_min: "1.8"
    example: --default-backend-port=6060
  - argument: --pprof
    description: enable pprof endpoint, if default-backend-port is not used 6060 will be used
    values:
      - this is boolean flag
    version_min: "1.4"
    example: --pprof
  - argument: --prometheus
    description: enable prometheus endpoint, if default-backend-port is not used 6060 will be used
    values:
      - this is boolean flag
    version_min: "1.8"
    example: --prometheus
  - argument: --default-ssl-certificate
    description: The name of a TLS Secret that contains the certificate to use for SSL/TLS traffic. This can be overridden with the <code>ssl-certificate</code> setting.
    values:
      - The name of the TLS Secret
    version_min: "1.4"
    example: --default-ssl-certificate=default/my-tls
  - argument: --ingress.class
    description: A name to assign to the ingress controller so that Ingress objects can target it apart from other running ingress controllers.
    tip:
      - In kubernetes 1.18+, a new `IngressClass` resource can be referenced by Ingress objects to target an Ingress Controller.
        More details can be found in the [IngressClass doc entry](./ingressclass.md).
    values:
      - The name of the ingress class
    version_min: "1.4"
    example: --ingress.class=haproxy
    helm: |-
      helm install intranet haproxytech/kubernetes-ingress \
        --set controller.ingressClass=haproxy
  - argument: --empty-ingress-class
    description: A flag to indicate the controller should process ingresses with empty ingress.class annotation.
    values:
      - No value.Being a flag you add it or not.
    default: false
    version_min: "1.6"
    example: --empty-ingress-class
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--empty-ingress-class}"
  - argument: --gateway-controller-name
    description: identifier of your controller to know which gatewayclass it will handle
    values:
      - The name of the controllerName in GatewayClass
    version_min: "1.10"
    example: --gateway-controller-name=haproxy.org/gateway-controller
    helm: |-
      helm install intranet haproxytech/kubernetes-ingress \
        --set controller.gatewayControllerName=haproxy.org/gateway-controller
  - argument: --namespace-blacklist
    description: Namespaces that the ingress controller should not monitor for changes to pods and services.
    values:
      - The namespace to exclude from monitoring; You can specify this argument multiple times
    version_min: "1.4"
    example: --namespace-blacklist=foo --namespace-blacklist=bar
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--namespace-blacklist=foo}"
  - argument: --namespace-whitelist
    description: Namespaces that the ingress controller should monitor for changes to pods and service.
    values:
      - The namespace to monitor; You can specify this argument multiple times
    version_min: "1.4"
    example: --namespace-whitelist=foo --namespace-whitelist=bar
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--namespace-whitelist=foo}"
  - argument: --publish-service
    description: Copies the ingress controller's IP address to the 'Address' field in all Ingress objects that the controller manages. This is useful for tools like external-dns, which use this information to create DNS records.
    values:
      - Name of the ingress controller's service, e.g. default/kubernetes-ingress
    version_min: "1.4"
    example: --publish-service=default/kubernetes-ingress
  - argument: --disable-ipv4
    description: Disabling the IPv4 bind support.
    values:
      - Boolean value, just need to declare the flag to disable the IPv4.
    default: false
    version_min: "1.5"
    example: --disable-ipv4
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--disable-ipv4}"
  - argument: --disable-ipv6
    description: Disabling the IPv6 bind support.
    values:
      - Boolean value, just need to declare the flag to disable the IPv6.
    default: false
    version_min: "1.5"
    example: --disable-ipv6
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--disable-ipv6}"
  - argument: --ipv4-bind-address
    description: Customize the IPv4 binding address.
    values:
      - "A valid IPv4 addresses. Default: 0.0.0.0"
    default: 0.0.0.0
    version_min: "1.5"
    example: --ipv4-bind-address=10.0.0.1
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--ipv4-bind-address=10.0.0.1}"
  - argument: --ipv6-bind-address
    description: Customize the IPv6 binding address.
    values:
      - "A valid IPv6 addresses. Default: ::"
    default: "::"
    version_min: "1.5"
    example: --ipv6-bind-address=::ffff:c0a8:5909
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--ipv6-bind-address=::ffff:c0a8:5909}"
  - argument: --http-bind-port
    description: Customize the HTTP frontend binding port.
    values:
      - "A valid port in the range. Default: 8080"
    default: 8080
    version_min: "1.5"
    example: --http-bind-port=8080
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--http-bind-port=8080}"
  - argument: --https-bind-port
    description: Customize the HTTPS frontend binding port.
    values:
      - "A valid port in the range. Default: 8443"
    default: 8443
    version_min: "1.5"
    example: --https-bind-port=8443
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--https-bind-port=8443}"
  - argument: --disable-http
    description: Disabling the HTTP frontend.
    values:
      - Boolean value, just need to declare the flag to disable the HTTP frontend.
    default: false
    version_min: "1.5"
    example: --disable-http
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--disable-http}"
  - argument: --disable-https
    description: Disabling the HTTPS frontend.
    values:
      - Boolean value, just need to declare the flag to disable the HTTPS frontend.
    default: false
    version_min: "1.5"
    example: --disable-https
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--disable-https}"
  - argument: --sync-period
    description: The interval at which the controller syncs its configuration with updated Kubernetes objects. In the case where the ingress controller is reloading too frequently, a higher value may be required. Note, if using helm charts you must also adjust the `startupProbe`'s `initialDelaySeconds` value. Its value must be higher than the `--sync-period` value.
    values:
      - An integer with unit of time (1s = 1 second, 1m = 1 minute, 1h = 1 hour); Defaults to 5s
    default: 5s
    version_min: "1.4"
    example: --sync-period=10s
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--sync-period=60s}" \
        --set controller.startupProbe.initialDelaySeconds=80
  - argument: --cache-resync-period
    description: Sets the default re-synchronization period at which the controller will re-apply the desired state.
    values:
      - The duration in <code>time.Duration</code> format; Defaults to 10m (10 minutes).
    default: 10m
    version_min: "1.5"
    example: --cache-resync-period=30m
  - argument: --log
    description: The level of logging to perform; Defaults to <i>info</i>
    values:
      - error
      - warning
      - info (default)
      - debug
      - trace
    default: info
    version_min: "1.4"
    example: --log=debug
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set controller.logging.level=debug
  - argument: --external
    description: Run as external Ingress Controller (out of kubernetes cluster). This can be done by cloning Ingress Controller project and building Controller with `go build`. Or using `export GO111MODULE=on;  go get github.com/haproxytech/kubernetes-ingress`.
    values:
      - Boolean value.
    default: false
    external: true
    version_min: "1.5"
    example: --external
  - argument: --program
    description: Path to HAProxy binary to use when running controller in [external mode](#--external).
    values:
      - Path to HAProxy binary
    default: haproxy in PATH location
    external: true
    version_min: "1.5"
    example: --external --program=/usr/bin/haproxy
  - argument: --config-dir
    description: Path to HAProxy configuration directory when running controller in [external mode](#--external). Configuration directory is where resources like configuration file, certificates, haproxy map files, are located.
    values:
      - Path to configuration directory
    default: "/tmp/haproxy-ingress/etc"
    external: true
    version_min: "1.5"
    example: --external --config-dir=/haproxy-ingress/etc
  - argument: --runtime-dir
    description: Path to HAProxy runtime directory when running controller in [external mode](#--external). Runtime directory is where resources like PID file, runtime socket, etc are located.
    values:
      - Path to runtime directory
    default: "/tmp/haproxy-ingress/run"
    external: true
    version_min: "1.5"
    example: --external --runtime-dir=/haproxy-ingress/run
  - argument: --disable-service-external-name
    description: Disable forwarding to ExternalName Services due to CVE-2021-25740
    values:
      - Boolean value, just need to declare the flag to disable forwarding to ExternalName Services.
    default: "false"
    version_min: "1.6"
    example: --disable-service-external-name
    helm: |-
      helm install haproxy haproxytech/kubernetes-ingress \
        --set-string "controller.extraArgs={--disable-service-external-name}"
  - argument: --channel-size
    description: |-
      Sets the size of controller buffers used to receive and send k8s events.
      This parameter is a cursor to adapt to the number of resources inside your clusters and that generate a lot of events.
      Rule of thumb: the more resources the higher the value.
    values:
      - Size of channels used for k8s resources events with regards to ingresses, etc.
    default: 600
    version_min: "1.7"
    example: --channel-size=10000
  - argument: --disable-config-snippets
    description: |-
      Allow to disable one or several of the following config snippets: backend, frontend, global.
    values:
      - Comma separated list of the kind of config snippets to disable. Possible values in the list are
      - backend,frontend,global,all
      - If 'all' is present then all (backend, frontend, global) config snippets are disabled.
    version_min: "1.11"
    example: --disable-config-snippets=backend,frontend
  - argument: --disable-quic
    description: option to disable the quic binding used by default if a certificate is provided throug ssl-certificate annotation. Please be aware that the quic implementation is activated with the "limited-quic" global option. Please refer to the documentation for details.
    default: false
    version_min: "1.11"
    example: |-
      args:
        - --disable-quic
  - argument: --quic-announce-port
    description: adjust the port in the alt-svc header to redirect to the exposed port in case it differs from the quic binding port.
    version_min: "1.11"
    example: |-
      args:
        - --quic-announce-port=10443
  - argument: --quic-bind-port
    description: sets the binding port for quic in HTTPS frontend.
    version_min: "1.11"
    example: |-
      args:
        - --quic-bind-port=4443
  - argument: --disable-writing-only-if-reload
    description: Disable the delayed writing of files to disk ONLY in case of haproxy reload (= write files to disk even if no reload)
    values:
      - Boolean value, just need to declare the flag to disable
    default: false
    version_min: "3.1"
    example: --disable-writing-only-if-reload
  - argument: --input-file
    description: |-
      This is the path to a manifest (yaml) of a v1 version to the CRDs to convert to v3.
      Goes with --output-file for the result
    values:
      - Path a to a CRD manifest you want to convert to the latest version
    example: --input-file=/home/xxx/convert/v1/global-full.yaml
    version_min: "3.2"
  - argument: --output-file
    description: |-
        This is the path to a manifest (yaml) where to write to the converted v3 CRD from a v1 manifest (see --input-file).
        Goes with --input-file
    values:
        - Path a to a CRD manifest where the converted v3 CRDs will be written
    example: --output-file=/home/xxx/convert/v3/global-full.yaml
    version_min: "3.2"
groups:
  config-snippet:
    header: |-
      - Insert raw HAProxy configuration in specific HAProxy config sections.
      - There is **no data validation** done by Ingress Controller. If input is incorrect, HAProxy will fail to apply new configuration.
      - It is possible to use [pattern files](controller.md/#--configmap-patternfiles) inside config snippets.
  CORS:
    header: |-
      - *Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources.* -  [Mozilla Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
  access-control:
    header: |-
      - Access control is disabled by default
      - Access control can be set for all traffic (annotation on configmap) or for a set of hosts (annotation on ingress)
  https:
    header: |-
      - [SSL offloading/decryption](#ssl-offloading) will be automatically enabled if valid SSL certificates are provided.
  ssl-offloading:
    header: |
      - Controller will look into kubernetes secrets for valid SSL certificates to configure in HAProxy.
      - A default certificate can be provided via controller [argument](controller.md) `--default-ssl-certificate`=\<namespace\>/\<secret\> or ConfigMap annotation [ssl-certificate](#ssl-certificate).
      - Certificates can be defined in Ingress object: `spec.tls[].secretName`
    footer: |
      - A secret can be of `tls` type (most common) created via :
        ```
        kubectl create secret tls my-secret --key=<key-path> --cert=<cert-path>
        ```
      - A secret can be of `generic` type if we want to have a certificate in  multiple formats:
        ```
        kubectl create secret generic my-secret --from-file=rsa.key=<rsa-key-path> --from-file=rsa.crt=<rsa-cert-path> \
                                                --from-file=ecdsa.key=<ecdsa-key-path> --from-file=ecdsa.crt=<ecdsa-cert-path>

        ```
        The only possible keys are the following,
        - rsa.key
        - rsa.crt
        - ecdsa.key
        - ecdsa.crt
        - dsa.key
        - dsa.crt
annotations:
  - title: auth-type
    type: string
    group: authentication
    dependencies: ""
    default: ""
    description:
      - Enables the selected HTTP authentication strategy.
    tip: []
    values:
      - basic-auth
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - "auth-type: basic-auth"
      - "auth-secret: default/haproxy-credentials"
  - title: auth-secret
    type: string
    group: authentication
    dependencies: auth-type
    default: ""
    description:
      - Selects the Kubernetes Secret where authentication data can be found.
    tip:
      - Encrypted passwords are evaluated using the crypt(3) function, so depending on the system's capabilities, different algorithms are supported.
      - Unencrypted passwords (used with HAProxy [insecure-password](https://docs.haproxy.org/2.8/configuration.html#3.4-user) ) **are not accepted**.
    values:
      - |-
        The annotation format is a secret path *namespace/secretName*. If the namespace is omitted (path is only *secretName*) then the ingress namespace will be used.
        For Basic Authentication, the Secret data should contain user credentials in the form of `username: encrypted and base-64 encoded password`. For example:

        ```
        bob: JDEkYWJjJEJYQnFwYjlCWmNaaFhMZ2JlZS4wcy8=
        ```

        Create the Kubernetes Secret resource in the following way:

        ```bash
        kubectl create secret generic haproxy-credentials \
          --from-literal=bob=$(openssl passwd -1 bobPassword) \
          --from-literal=alice=$(openssl passwd -1 alicePassword)

          # secret/haproxy-credentials created
        ```
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - "auth-type: basic-auth"
      - "auth-secret: default/haproxy-credentials"
  - title: auth-realm
    type: string
    group: authentication
    dependencies: "auth-type, auth-secret"
    default: "Protected Content"
    description:
      - Provides the HTTP Authentication Realm
    tip: []
    values:
      - Realm name
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example: ["auth-realm: Admin Area"]
  - title: blacklist
    type: IPs/CIDRs or pattern file
    group: access-control
    dependencies: ""
    default: ""
    description:
      - "**Deprecated**, use `deny-list` instead."
      - Blocks given IP addresses and/or IP address ranges.
    tip:
      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
    values:
      - Comma-separated list of IP addresses and/or CIDR ranges
      - Path to a pattern file, e.g. `pattern/ips`
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ['blacklist: "192.168.1.0/24, 192.168.2.100"']
  - title: deny-list
    type: IPs/CIDRs or pattern file
    group: access-control
    dependencies: ""
    default: ""
    description:
      - Blocks given IP addresses and/or IP address ranges.
    tip:
      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
    values:
      - Comma-separated list of IP addresses and/or CIDR ranges
      - Path to a pattern file, e.g. `pattern/ips`
    applies_to:
      - configmap
      - ingress
    version_min: "1.11"
    example: [ 'deny-list: "192.168.1.0/24, 192.168.2.100"' ]
  - title: check
    type: bool
    group: backend-checks
    dependencies: ""
    default: "true"
    description:
      - Enables TCP level health checks on pods and attempts a TCP connection periodically.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['check: "true"']
  - title: check-http
    type: string
    group: backend-checks
    dependencies: check
    default: ""
    description:
      - Enables HTTP level health checks on pods and sends an HTTP request periodically.
        The `check` setting must be true.
    tip: []
    values:
      - URI to make HTTP requests to, e.g. `/health`
      - URI with method, e.g. `HEAD /health`
      - URI, method and HTTP version, e.g. `HEAD /health HTTP/1.1`
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example:
      - 'check: "true"'
      - 'check-http: "/health"'
  - title: check-interval
    type: "[time](#time)"
    group: backend-checks
    dependencies: check
    default: ""
    description:
      - Sets the interval between health checks when `check` is enabled.
    tip: []
    values:
      - Integer with time unit suffix (1m = 1 minute, 10s = 10 seconds)
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example:
      - 'check: "true"'
      - 'check-interval: "1m"'
  - title: clean-certs
    type: bool
    group:
    dependencies:
    default: "true"
    description:
      - Switches certificates clean up.
      - By default controller cleans up unused certificates in haproxy cert directory.
      - In the case where certificates may be handled by a side-car container, it is useful not to remove certificates unkown to controller.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.6"
    example:
      - 'clean-certs: "false"'
  - title: client-ca
    type: string
    group: authentication
    dependencies: ssl-offloading
    default: ""
    description:
      - Sets the client certificate authority enabling HAProxy to check clients certificate (TLS authentication), thus enabling client *mTLS*.
    tip:
      - NB, [ssl-offloading](#ssl-offloading) **should be enabled** for TLS authentication to work.
    values:
      - secret path in "namespace/name" format.
    applies_to:
      - configmap
    version_min: "1.6"
    example:
      - "client-ca: exp/client-ca.crt"
  - title: client-crt-optional
    type: bool
    group: authentication
    dependencies: client-ca
    default: "false"
    description:
      - If enabled, certificate verification will be optional which means haproxy will still accept the client connection even if the certificate verification fails.
      - If disabled haproxy will enforce verification of client certificates and only accepts client with valid certificate.
    tip:
      - NB, [client-ca](#client-ca) **should be enabled** for certificate verification to work.
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.6"
    example:
      - "client-crt-optional: true"
  - title: client-strict-sni
    type: bool
    group: ssl-offloading
    dependencies: client-ca
    default: "false"
    description:
      - If enabled, HAProxy will only accept TLS client connections where the provided SNI matchs an existing certificate.
      - If disabled HAProxy will service the default certificate when the provided SNI does not match.
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.8"
    example:
      - "client-strict-sni: true"
  - title: cors-enable
    type: bool
    group: CORS
    dependencies: ""
    default: "false"
    description:
      - Enables CORS rules for corresponding Ingress traffic.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-enable: "true"'
  - title: cors-allow-origin
    type: string
    group: CORS
    dependencies: cors-enable
    default: "*"
    description:
      - Sets the `Access-Control-Allow-Origin` response header to tell browsers which origin is allowed to access the requested resource.
    tip:
      - With "regex" value, it is possible to allow a list of origins. If one of them matches the request Origin header it will be returned to the client.
    values:
      - Wildcard `*`, allow access form any origin.
      - Regex, regex should match an origin (request Origin header) in the format `<scheme> "://" <hostname> [ ":" <port> ]` if the origin is matched then it will be the value of `Access-Control-Allow-Origin`.
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-allow-origin: "*"'
      - 'cors-allow-origin: "https://example.com"'
      - 'cors-allow-origin: "^https://(.+\.)?(example-1\.com|example-2\.com)(:\d{1,5})?$"'
  - title: cors-allow-methods
    type: string
    group: CORS
    dependencies: cors-enable
    default: "*"
    description:
      - Sets the `Access-Control-Allow-Methods` response header to tell browsers the HTTP methods allowed when accessing the request resource.
    tip: []
    values:
      - Wildcard `*`, allow access for all HTTP methods.
      - A comma-separated list of HTTP methods
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-allow-methods: "*"'
      - 'cors-allow-methods: "GET"'
      - 'cors-allow-methods: "GET, POST"'
  - title: cors-allow-credentials
    type: bool
    group: CORS
    dependencies: cors-enable
    default: "false"
    description:
      - Sets the `Access-Control-Allow-Credentials` response header to tell browsers if credentials can be used to access the requested resource.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-allow-credentials: "true"'
  - title: cors-allow-headers
    type: string
    group: CORS
    dependencies: cors-enable
    default: "*"
    description:
      - Sets the `Access-Control-Allow-Headers` response header to tell browsers which HTTP headers can be used when accessing the request resource.
    tip: []
    values:
      - Wildcard `*`, allow access for all HTTP headers.
      - A comma-separated list of HTTP headers
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-allow-headers: "*"'
      - 'cors-allow-headers: "X-Custom-Header"'
      - 'cors-allow-headers: "X-Custom-Header, Upgrade-Insecure-Requests"'
  - title: cors-max-age
    type: "[time](#time)"
    group: CORS
    dependencies: cors-enable
    default: "5s"
    description:
      - Sets the `Access-Control-Allow-Age` response header to tell browsers how long the result of a preflight request can be cached.
    tip: []
    values:
      - A [time](#time) duration
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'cors-max-age: "1m"'
  - title: global-config-snippet
    type: string
    group: config-snippet
    dependencies: ""
    default: ""
    description:
      - Defines a group of configuration directives to insert the HAProxy global section.
    tip: []
    values:
      - One or more valid HAProxy directives
    applies_to:
      - configmap
    version_min: "1.5"
    example_configmap: |-
      global-config-snippet: |
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
        ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
        tune.ssl.default-dh-param 2048
        tune.bufsize 32768
  - title: frontend-config-snippet
    type: string
    group: config-snippet
    dependencies: ""
    default: ""
    description:
      - Defines a group of configuration directives to insert in the main HTTP/HTTPS frontends.
    tip:
      - Because frontend-config-snippet is inserted in the main http/https frontends it will apply to all traffic. To apply configuration by Ingress, annotations should be privileged.
      - Ingress Controller logic is inserted in the main frontends before any config-snippet configuration so controller configuration will be **evaluated first**.
      - It is safer to privilege [backend-config-snippet](#backend-config-snippet) when possible to avoid conflicts with controller configuration.
    values:
      - One or more valid HAProxy directives
    applies_to:
      - configmap
    version_min: "1.6"
    example_configmap: |-
      frontend-config-snippet: |
        unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
        unique-id-header X-Unique-ID
  - title: stats-config-snippet
    type: string
    group: config-snippet
    dependencies: ""
    default: ""
    description:
      - Defines a group of configuration directives to insert in the stats frontend.
    tip: []
    values:
      - One or more valid HAProxy directives
    applies_to:
      - configmap
    version_min: "1.6"
    example_configmap: |-
      stats-config-snippet: |
        stats auth foo:test
  - title: backend-config-snippet
    type: string
    group: config-snippet
    dependencies: ""
    default: ""
    description:
      - Defines a group of configuration directives to add directly to a HAProxy backend section.
    tip: []
    values:
      - One or more valid HAProxy directives
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.5"
    example:
      - |-
        backend-config-snippet: |
              http-send-name-header x-dst-server
              stick-table type string len 32 size 100k expire 30m
              stick on req.cook(sessionid)
  - title: cookie-persistence
    type: string
    description:
      - Enables persistent connections (sticky sessions) between a client and a pod by inserting a cookie
        into the client's browser that is used to remember which backend pod they connected
        to before.
      - Dynamic cookies are used by default via a [dynamic-cookie-key](https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4.2-dynamic-cookie-key) in order to support sticky sessions across multiple Ingress Controller instances/replicas.
    tip:
      - This will insert the following cookie configuration in the corresponding backend `cookie <cookie-name> insert indirect nocache dynamic` with `<cookie-name>` the value of this annotation.
    values:
      - A name for the cookie
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['cookie-persistence: "mycookie"']
  - title: cookie-persistence-no-dynamic
    type: string
    description:
      - Enables persistent connections (sticky sessions) between a client and a pod by inserting a cookie
        into the client's browser that is used to remember which backend pod they connected
        to before.
      - Dynamic cookies are not used contrary to cookie-persistence annotation. The cookie will have the server name.
    tip:
      - |-
        This will insert the following cookie configuration in the corresponding backend
        `cookie <cokkie-name> indirect nocache insert` with `<cookie-name>` the value of this annotation.
        The server line will have `server <server-name> <server-address> enabled cookie <server-name>`
    values:
      - A name for the cookie
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "3.1"
    example: ['cookie-persistence-no-dynamic: "mycookie"']
  - title: dontlognull
    type: bool
    group: logging
    dependencies: ""
    default: "true"
    description:
      - Do not log connections that sends no data, which can happen with monitoring systems.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['dontlognull: "true"']
  - title: src-ip-header
    type: string
    group: src-ip-header
    dependencies: ""
    default: "null"
    description:
      - Set the source IP from a header rather than the L3 connection.
    tip: []
    values:
      - "any header name"
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example: ['src-ip-header: "True-Client-IP"']
  - title: forwarded-for
    type: bool
    group: x-forwarded-for
    dependencies: ""
    default: "true"
    description:
      - Adds the X-Forwarded-For HTTP header to requests to capture and relay the client's
        source IP address to backend pods.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['forwarded-for: "true"']
  - title: hard-stop-after
    type: "[time](#time)"
    group: hard-stop-after
    dependencies: ""
    default: "30m"
    description:
      - Defines the maximum time allowed to perform a clean soft-stop.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["hard-stop-after: 30s"]
  - title: http-connection-mode
    type: string
    group: http-options
    dependencies: ""
    default: http-keep-alive
    description:
      - Sets HAProxy connection mode
    values:
      - http-keep-alive `default` - Enables HTTP Keep-Alive both from the client to HAProxy and
        from HAProxy to the backend.
      - http-server-close - Disables HTTP Keep-Alive between HAProxy and the backend,
        while allowing it to stay enabled from the client to HAProxy.
      - httpclose - HAProxy will close connections with the server and the client as
        soon as the request and the response are received
    applies_to:
      - configmap
    version_min: "1.8"
    example: ['http-connection-mode: "http-server-close"']
  - title: http-keep-alive
    type: bool
    group: http-options
    dependencies: ""
    default: "true"
    description:
      - "**Deprecated**, use `http-connection-mode` instead."
      - Enables HTTP Keep-Alive both from the client to HAProxy and from HAProxy to the
        backend.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['http-keep-alive: "true"']
  - title: http-server-close
    type: bool
    group: http-options
    dependencies: ""
    default: "false"
    description:
      - "**Deprecated**, use `http-connection-mode` instead."
      - Disables HTTP Keep-Alive between HAProxy and the backend, while allowing it to
        stay enabled from the client to HAProxy.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['http-server-close: "true"']
  - title: ingress.class
    type: string
    group: ingress class
    dependencies: ""
    default: ""
    description:
      - Identifies the ingress controller to be used. If this value is the same as the [--ingress.class](./controller.md#--ingressclass) controller arg, the ingress resource will be processed.
    tip:
      - In kubernetes 1.18+, a new `IngressClass` resource can be referenced by Ingress objects to target an Ingress Controller.
        More details can be found in the [IngressClass doc entry](./ingressclass.md).
      - In case both `ingress.class` annotation and `ingressClassName` are used, `ingress.class` will have precedence.
    values:
      - The ingress class name
    applies_to:
      - ingress
    version_min: "1.4"
    example: ['ingress.class: "haproxy"']
  - title: load-balance
    type: string
    group: balance-algorithm
    dependencies: ""
    default: roundrobin
    description:
      - Sets the load-balancing algorithm to use.
    tip: []
    values:
      - roundrobin
      - static-rr
      - leastconn
      - first
      - source
      - uri [path-only] [whole] [len num] [depth num]
      - url_param name [check_post num]
      - hdr[(name)] [use_domain_only]
      - random[(draws)]
      - rdp-cookie[(name)]
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['load-balance: "leastconn"']
  - title: log-format
    type: string
    group: log-format
    dependencies: ""
    default: ""
    description:
      - Sets the log format string to use for HTTP traffic.
    tip:
      - 'Default log-format is: `%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC
        %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs \"%HM %[var(txn.base)] %HV\"` Which
        will look like this: `10.244.0.1:5793 [10/Apr/2020:10:32:50.132] https~ test-echo1-8080/SRV_TFW8V
        0/0/1/2/3 200 653 - - ---- 1/1/0/0/0 0/0 "GET test.k8s.local/ HTTP/2.0`'
    values:
      - Log format string. More information in [HAProxy documentation](https://docs.haproxy.org/2.8/configuration.html#8.2.3)
    applies_to:
      - configmap
    version_min: "1.4"
    example:
      [
        'log-format: "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs \"%HM %[var(txn.base)] %HV\""',
      ]
  - title: log-format-tcp
    type: string
    group: log-format
    dependencies: ""
    default: ""
    description:
      - Sets the log format string to use for TCP traffic.
    tip:
      - 'Default is option tcplog'
      - 'Applies only to TCP configmap defined by command line option --configmap-tcp-services'
    values:
      - Log format string. More information in [HAProxy documentation](https://docs.haproxy.org/2.8/configuration.html#8.2.3)
    applies_to:
      - configmap
    version_min: "1.7"
    example:
      [
        'log-format-tcp: "%{+Q}o %t %s"'
      ]
  - title: logasap
    type: bool
    group: logging
    dependencies: ""
    default: "false"
    description:
      - Logs request and response data as soon as the server returns a complete set of
        HTTP response headers, instead of waiting for the response to finish sending all
        data.
    tip: []
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['logasap: "true"']
  - title: maxconn
    type: number
    group: maximum-concurrent-connections
    dependencies: ""
    default: ""
    description:
      - Sets the maximum number of concurrent connections that HAProxy will accept.
    tip: []
    values:
      - An integer setting the allowed number of concurrent connections
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['maxconn: "2000"']
  - title: nbthread
    type: number
    group: number-of-threads
    dependencies: ""
    default: ""
    description:
      - Sets the number of worker threads that the HAProxy process will start. If not
        set, HAProxy will create a thread for each available processor.
    tip: []
    values:
      - An integer setting the number of worker threads
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['nbthread: "8"']
  - title: path-rewrite
    type: string
    group: path-rewrite
    dependencies: ""
    default: ""
    description:
      - Replaces the entire URL path with the given value.
    tip: []
    values:
      - A single path, such as "/", to turn any path into "/"
      - Two parameters. A regular expression to match and a path to replace it with.
      - Multiline annotation is split into more rewrite rules.
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example_configmap: |-
      path-rewrite: "/"                        # replace all paths with /
      path-rewrite: (.*) /foo\1                # add the prefix /foo... "/bar?q=1" into "/foo/bar?q=1"
      path-rewrite: ([^?]*)(\?(.*))? \1/foo\2  # add the suffix /foo ... "/bar?q=1" into "/bar/foo?q=1"
      path-rewrite: /foo/(.*) /\1              # strip /foo ... "/foo/bar?q=1" into "/bar?q=1"

      # strip /foo ... "/foo/bar?q=1" into "/bar?q=1" and replace "/bar/*" with "/baz/*"
      # with multiline (using `|`) annotation
      path-rewrite: |
        /foo/(.*) /\1
        /bar/(.*) /baz/\1
    example_ingress: |-
      haproxy.org/path-rewrite: "/"                        # replace all paths with /
      haproxy.org/path-rewrite: (.*) /foo\1                # add the prefix /foo... "/bar?q=1" into "/foo/bar?q=1"
      haproxy.org/path-rewrite: ([^?]*)(\?(.*))? \1/foo\2  # add the suffix /foo ... "/bar?q=1" into "/bar/foo?q=1"
      haproxy.org/path-rewrite: /foo/(.*) /\1              # strip /foo ... "/foo/bar?q=1" into "/bar?q=1"

      # strip /foo ... "/foo/bar?q=1" into "/bar?q=1" and replace "/bar/*" with "/baz/*"
      # with multiline (using `|`) annotation
      haproxy.org/path-rewrite: |
        /foo/(.*) /\1
        /bar/(.*) /baz/\1
  - title: pod-maxconn
    type: number
    group: maximum-concurrent-backend-connections
    dependencies: ""
    default: ""
    description:
      - Sets the maximum number of concurrent connections (maxconn) on a backend server (application pod).
    tip:
      - NB, If multiple HAProxy instances are running, the maxconn will be pod-maxconn number devided by the number of haproxy instances.
    values:
      - An integer setting the maximum number of concurrent backend connections
    applies_to:
      - service
      - ingress
      - configmap
    version_min: "1.4"
    example: ['pod-maxconn: "30"']
  - title: proxy-protocol
    type: IPs or CIDRs
    group: proxy-protocol
    dependencies: ""
    default: ""
    description:
      - Enables Proxy Protocol on client side for a comma-delimited list of IP addresses and/or CIDR ranges.
      - The `0.0.0.0/0` CIDR will enable Proxy Protocol for all incoming traffic.
    tip:
      - Connection will fail with 400 Bad Request if source IP is in annotation list but
        no Proxy Protocol data is sent.
    values:
      - A list of IP addresses and/or CIDR ranges
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['proxy-protocol: "192.168.1.0/24, 192.168.2.100"']
  - title: quic-alt-svc-max-age
    type: number
    dependencies: "ssl-certificate"
    default: ""
    description:
      - Sets the max age in seconds for the alt-svc header as defined by the standard.
    tip:
      - Too high a number can lead to issues. The clients could fail to connect because the services is no more available.
    values:
      - number of seconds for cache retention.
    applies_to:
      - configmap
    version_min: "1.11"
    example: ['quic-alt-svc-max-age: "900"']
  - title: rate-limit-period
    type: "[time](#time)"
    group: rate-limit
    dependencies: ""
    default: 1s
    description:
      - Sets the period of time over which requests are tracked for a given source IP
        address.
    tip: []
    values:
      - Integer with unit of time (1s = 1 second, 1m = 1 minute); Defaults to 1 second
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ['rate-limit-period: "1m"']
  - title: rate-limit-status-code
    type: "string"
    group: rate-limit
    dependencies: ""
    default: 403
    description:
      - Sets the status code to return when rate limiting has been triggered.
    tip: []
    values:
      - HTTP status codes; Defaults to 403.
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example: ['rate-limit-status-code: "429"']
  - title: rate-limit-requests
    type: number
    group: rate-limit
    dependencies: ""
    default: ""
    description:
      - Sets the maximum number of requests that will be accepted from a source IP address during the `rate-limit-period`.
    tip:
      - If this number is exceeded, HAProxy will deny requests with 403 status code.
      - To track the http requests rate, a stick-table named "Ratelimit-<period-in-ms>" will be created. For example, if the `rate-limit-period` is set to *2s*, the name of the table will be *Ratelimit-2000*.
    values:
      - An integer representing the maximum number of requests to accept
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ["rate-limit-requests: 15"]
  - title: rate-limit-size
    type: string
    group: rate-limit
    dependencies: rate-limit
    default: 100k
    description:
      - Sets how many source IP addresses to track, after which older entries are replaced
        by new entries.
    tip:
      - If this number is exceeded, older entries will be dropped as new ones come
    values:
      - An integer defining how many IP addresses to track for rate limiting; Defaults
        to 100,000
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ["rate-limit-size: 1000000"]
  - title: request-capture
    type: "[sample expression](#sample-expression)"
    group: request-capture
    dependencies: ""
    default: ""
    description:
      - When you include *%hr* in the `log-format` string, which is included in
        the default log format, it captures custom information in the logs, which you
        define with this field. For example, you can capture specific cookie values or
        HTTP header values.
    tip:
      - Captures samples of the request using [sample expression](#sample-expression)
        and log them in HAProxy traffic logs.
    values:
      - A header value, e.g. `hdr(header-name)`
      - A cookie value, e.g. `cookie(cookie-name)`
      - Multiple expressions by using a multiline YAML string
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example_configmap: |-
      # capture a single value
      request-capture: cookie(my-cookie)

      # capture multiple values
      request-capture: |
        cookie(my-cookie)
        hdr(Host)
        hdr(User-Agent)
    example_ingress: |-
      # capture a single value
      haproxy.org/request-capture: cookie(my-cookie)

      # capture multiple values
      haproxy.org/request-capture: |
        cookie(my-cookie)
        hdr(Host)
        hdr(User-Agent)
  - title: request-capture-len
    type: number
    group: request-capture
    dependencies: ""
    default: "128"
    description:
      - Sets how many characters to allocate for fields captured by `request-capture`.
    tip: []
    values:
      - An integer representing the number of characters for captured fields; Defaults
        to 128
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example:
      - "request-capture: cookie(my-cookie)"
      - "request-capture-len: 350"
  - title: request-set-header
    type: string
    group: request-set-header
    dependencies: ""
    default: ""
    description:
      - Sets an HTTP header in the request before it is passed to the backend service.
    tip:
      - This sets header before HAProxy does any service/backend dispatch. So in the case
        you want to change the Host header this will impact HAProxy decision on which
        service/backend to use (based on matching Host against ingress rules). In order
        to set the Host header after service selection, use [set-host](#set-host) annotation.
    values:
      - The name of the field, following by its value, e.g. Ingress-ID abcd123
      - Multiple headers can be set using a multiline YAML string
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example_configmap: |-
      # single header
      request-set-header: Ingress-ID abcd123

      # multiple headers
      request-set-header: |
        Ingress-ID abcd123
        Another-Header 12345
    example_ingress: |-
      # single header
      haproxy.org/request-set-header: Ingress-ID abcd123

      # multiple headers
      haproxy.org/request-set-header: |
        Ingress-ID abcd123
        Another-Header 12345
  - title: request-redirect
    type: string
    group: request-redirect
    dependencies: ""
    default: ""
    description:
      - Enables HTTP request redirection based on host and port substitution in original request.
    tip:
      - HTTP redirection code is settable with `request-redirect-code` annotation.
      - Port alone is not allowed.
    values:
      - host
      - host:port
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      ["request-redirect: example.com", "request-redirect: example.com:8888"]
  - title: request-redirect-code
    type: number
    group: request-redirect
    dependencies: "request-redirect"
    default: "302"
    description:
      - Defines the HTTP redirection code used in redirection set with request-redirect.
    tip: []
    values:
      - Integer value.
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example: ['request-redirect-code: "303"']
  - title: response-set-header
    type: string
    group: response-set-header
    dependencies: ""
    default: ""
    description:
      - Sets an HTTP header in the response before it is passed to the client.
    tip: []
    values:
      - The name of the field, following by its value, e.g. Cache-Control "no-store,no-cache,private"
      - Multiple headers can be set using a multiline YAML string
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example_configmap: |-
      # single header
      response-set-header: Cache-Control "no-store,no-cache,private"

      # multiple headers
      response-set-header: |
        Cache-Control "no-store,no-cache,private"
        Strict-Transport-Security "max-age=31536000"
    example_ingress: |-
      # single header
      haproxy.org/response-set-header: Cache-Control "no-store,no-cache,private"

      # multiple headers
      haproxy.org/response-set-header: |
        Cache-Control "no-store,no-cache,private"
        Strict-Transport-Security "max-age=31536000"
  - title: route-acl
    type: string
    group:
    dependencies: ""
    default: ""
    description:
      - Insert a custom route (use_backend rule) to route ingress traffic to the annotated service based on the provided ACL.
    tip:
      - In order for the service to be handled by the Ingress Controller, it is still mandatory to put it in an ingress rule. Using only `route-acl` won't be enough.
      - |
          Note that this annotation is not compatible with an Ingress having multiple paths that will match a request.
          Without this annotation, the precedence  is given first to the longest matching path.
          But with the annotation, the first use_backend rule in the config that matches the request will be used.
    values:
      - A string describing an in-line [HAProxy ACL](https://www.haproxy.com/blog/introduction-to-haproxy-acls/).
    applies_to:
      - service
    version_min: "1.6"
    example: ["route-acl: cookie(staging) -m found"]
  - title: send-proxy-protocol
    type: '["proxy", "proxy-v1", "proxy-v2", "proxy-v2-ssl", "proxy-v2-ssl-cn"]'
    group: send-proxy-protocol
    dependencies: ""
    default: ""
    description:
      - Uses the PROXY Protocol when connecting to backend servers.
    tip: []
    values:
      - proxy - Uses PROXY v1
      - proxy-v1 - Uses PROXY v1
      - proxy-v2 - Uses PROXY v2
      - proxy-v2-ssl Uses PROXY v2 with SSL information extension
      - proxy-v2-ssl-cn Uses PROXY v2 with SSL and Common Name information extension
    applies_to:
      - service
      - ingress
      - configmap
    version_min: "1.5"
    example: ["send-proxy-protocol: proxy-v2"]
  - title: server-ca
    type: string
    group: authentication
    dependencies: ""
    default: ""
    description:
      - Sets the certificate authority for backend servers enabling HAProxy to check backend certificates (TLS authentication) when sending encrypted traffic to the kubernetes applications.
    tip:
      - When used with [server-crt](#server-crt) resulting configuration provides  mutual TLS authentication (mTLS).
      - The secret must use 'tls.crt' key.
    values:
      - Secret path following namespace/secretname format.
    applies_to:
      - service
      - configmap
      - ingress
    version_min: "1.5"
    example: ['server-ca: "ns1/ca"']
  - title: server-crt
    type: string
    group: ""
    dependencies: ""
    default: ""
    description:
      - Specifies the path of a secret containing a certificate that HAProxy can provide during TLS communication with the backend servers.
    tip:
      - The secret must use 'tls.key' and 'tls.crt' keys.
      - When used with [server-ca](#server-ca) resulting configuration provides mutual TLS authentication (mTLS).
    values:
      - Secret path following namespace/secretname format.
    applies_to:
      - service
      - configmap
      - ingress
    version_min: "1.5"
    example: ['server-crt: "ns1/client"']
  - title: server-proto
    type: '["h2"]'
    group: server-proto
    dependencies: ""
    default: ""
    description:
      - HTTP/1.1 is the default protocol for backend servers communication.
        Currently, the `server-proto` annotation supports only "h2" as a value (supporting
        fcgi is also planned) which transmits HTTP/2 messages in the clear to the backend
        servers.
      - However, when SSL is enabled on the backend, `server-proto` is ignored and both
        HTTP/1.1 and HTTP/2 are advertised via ALPN and transmitted as encrypted messages.
    tip: []
    values:
      - "h2"
    applies_to:
      - service
      - configmap
      - ingress
    version_min: "1.5"
    example: ['server-proto: "h2"']
  - title: server-ssl
    type: bool
    group: ""
    dependencies: ""
    default: "false"
    description:
      - Enables SSL to pods.
    tip:
      - Enable HTTP/2 support for backend severs.
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['server-ssl: "true"']
  - title: set-host
    type: string
    group: set-host
    dependencies: ""
    default: ""
    description:
      - Sets the Host header to send to backend services.
    tip: []
    values:
      - The value of the Host header
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ['set-host: "example.local"']
  - title: scale-server-slots
    type: number
    group: backend-scaling
    dependencies: ""
    default: "42"
    description:
      - Sets the number of server slots to provision in order for HAProxy to scale
        dynamically with no reload.
        If this number is greater than the available endpoints/addresses, the remaining
        slots will be disabled (put on stand-by) and ready to be used.
        If this number is lower, the remaining endpoints/addresses will be added after
        scaling the HAProxy backend with a reload.
    tip:
      - Equivalent old annotations are `servers-increment` and `server-slots`
    values:
      - Integer value indicating the number of backend servers to provision. Defaults to 42.
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['scale-server-slots: "75"']
  - title: ssl-certificate
    type: string
    group: ssl-offloading
    dependencies: ""
    default: ""
    description:
      - Sets the name of the Kubernetes secret that contains both the TLS key and certificate.
    tip:
      - this replaces default certificate
      - this is used as the certificate for quic binding
    values:
      - Name of Kubernetes secret
    applies_to:
      - configmap
    version_min: "1.4"
    example: ['ssl-certificate: "default/tls-secret"']
  - title: ssl-passthrough
    type: bool
    group: https
    dependencies: ""
    default: "false"
    description:
      - Passes SSL/TLS traffic through at Layer 4 directly to the backend service without
        Layer 7 inspection.
    tip:
      - Traffic is proxied in TCP mode which makes unavailable a number of the controller
        annotations (requiring HTTP mode).
      - HTTPS frontend is conserved and still listening at port 8444 when previous HTTPS port is moved to SSL Frontend.
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ['ssl-passthrough: "true"']
  - title: ssl-redirect
    type: bool
    group: https
    dependencies: https
    default: "false"
    description:
      - Sets whether to redirect traffic from HTTP to HTTPS.
    tip:
      - SSL redirection is enabled by default for any ingress resource defined with a TLS section `spec.tls[].secretName`.
      - Automatic redirects for ingress resources with TLS enabled, can be disabled by setting annotation to
        "false" in configmap
    values:
      - "true"
      - "false"
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example:
      - 'ssl-redirect: "false"'
      - 'ssl-certificate: "default/tls-secret"'
  - title: ssl-redirect-code
    type: "[301, 302, 303]"
    group: https
    dependencies: ssl-redirect
    default: "302"
    description:
      - Sets the HTTP status code to use when `ssl-redirect` is true.
    tip: []
    values:
      - "301"
      - "302"
      - "303"
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example:
      - 'ssl-redirect: "true"'
      - 'ssl-certificate: "default/tls-secret"'
      - 'ssl-redirect-code: "301"'
  - title: ssl-redirect-port
    type: number
    group: https
    dependencies: ssl-redirect
    default: "8443"
    description:
      - Sets the HTTPS port to redirect to when HTTP to HTTPS traffic redirection is enabled  when `ssl-redirect` is true.
    tip:
      - When setting the HTTPS port value, keep in mind that this is the HTTPS port as seen by the client, not as set on the Ingress Controller. The reason for this distinction lies in the fact that there will probably be some middleware with its own ports mapping between the client and the Ingress Controller. As a consequence, it must be set with a distinct consideration of how the HTTPS port is set on Ingress Controller with the `https-bind-port` command line option.
    values:
      - Integer HTTPS port number
    applies_to:
      - configmap
      - ingress
    version_min: "1.5"
    example:
      - 'ssl-redirect: "true"'
      - 'ssl-redirect-port: "8443"'
  - title: syslog-server
    type: "[syslog](#syslog-fields)"
    group: logging
    dependencies: ""
    default: "address:127.0.0.1, facility: local0, level: notice"
    description:
      - Sets one or more Syslog servers where logs should be forwarded. Each server is
        placed onto its own line. A line supports the following arguments, which are separated
        by commas
    tip:
      - More information can be found in the [HAProxy documentation](https://docs.haproxy.org/2.8/configuration.html#3.1-log)
    values:
      - address - **Required** - IP address where the syslog server is listening.
      - facility - **Required** - One of the 24 syslog facilities (kern, user, mail, daemon, auth, syslog,
        lpr, news, uucp, cron, auth2, ftp, ntp, audit, alert, con2, local0, local1, local2,
        local3, local4, local5, local6, local7); In general, you will want to use one
        of the localX values, since the others are registered for specific types of applications.
      - format - Syslog format, one of the following - rfc3164, rfc5424, short, raw.
        to rfc3164. HAProxy **default** is rfc3164
      - length -  Maximum syslog line length. HAProxy **default** is 1024.
      - level - Maximum verbosity level to filter outgoing messages; Only messages with
        a severity at least as important as this level will be sent; Use one of the following
        (emerg, alert, crit, err, warning, notice, info, debug); Traffic logs are emitted at "info" or higher severity.
        Haproxy **default** is to send all messages.
      - minlevel - Minimum verbosity level. Logs emitted with a more severe level than
        this one will be capped to this level. HAProxy **default** does not set a minlevel.
      - port - Port number where the syslog server is listening. HAProxy **default** is 514.
    applies_to:
      - configmap
    version_min: "1.4"
    example_configmap: |-
      # a single entry
      syslog-server: "address:192.158.1.1, port:514, facility:local0"

      # log to stdout
      syslog-server: "address:stdout, format: raw, facility:daemon"

      # multiple entries
      syslog-server: |
        address:127.0.0.1, port:514, facility:local0
        address:192.168.1.1, port:514, facility:local1
  - title: standalone-backend
    type: bool
    description:
      - Creates a specific and separated backend for this ingress in case multiple ingresses refer to the same service.
    tip:
      - With this annotation you can create your own separate backend whose configuration won't be impacted by others ingresses. As a reminder, all ingresses refering to the same service have their configuration inserted in the same backend which can cause some conflict.
    values:
      - "true"
      - "false"
    applies_to:
      - service
      - ingress
    version_min: "1.10"
    example:
      - 'standalone-backend: "true"'
  - title: timeout-check
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: ""
    description:
      - Sets an additional check timeout, but only after a connection has been already
        established.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.4"
    example: ["timeout-check: 5s"]
  - title: timeout-client
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 50s
    description:
      - Set the maximum inactivity time on the client side.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 50s
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-client: 5s"]
  - title: timeout-client-fin
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: ""
    description:
      - Sets the inactivity timeout on the client side for half-closed connections.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-client-fin: 5s"]
  - title: timeout-connect
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 5s
    description:
      - Sets the maximum time to wait for a connection attempt to a server to succeed.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 5s
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-connect: 5s"]
  - title: timeout-http-request
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 5s
    description:
      - Sets the maximum allowed time to wait for a complete HTTP request.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 5s
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-http-request: 5s"]
  - title: timeout-http-keep-alive
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 1m
    description:
      - Sets the maximum allowed time to wait for a new HTTP request to appear.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 1m
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-http-keep-alive: 5s"]
  - title: timeout-queue
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 5s
    description:
      - Sets the maximum time to wait in the queue for a connection slot to be free.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 5s
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-queue: 5s"]
  - title: timeout-server
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 50s
    description:
      - Sets the maximum inactivity time on the server side.
      - configmap available since version 1.4
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 50s
    applies_to:
      - configmap
      - ingress
      - service
    version_min: "1.11"
    example: ["timeout-server: 5s"]
  - title: timeout-server-fin
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: ""
    description:
      - Sets the inactivity timeout on the server side for half-closed connections.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-server-fin: 5s"]
  - title: timeout-tunnel
    type: "[time](#time)"
    group: timeouts
    dependencies: ""
    default: 1h
    description:
      - Set the maximum inactivity time on the client and server side for tunnels.
    tip: []
    values:
      - An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour); Defaults
        to 1h
    applies_to:
      - configmap
    version_min: "1.4"
    example: ["timeout-tunnel: 30m"]
  - title: whitelist
    type: IPs/CIDRs or pattern file
    group: access-control
    dependencies: ""
    default: ""
    description:
      - "**Deprecated**, use `allow-list` instead."
      - Blocks all IP addresses except the whitelisted ones (annotation value).
    tip:
      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
    values:
      - Comma-separated list of IP addresses and/or CIDR ranges
      - Path to a pattern file, e.g. `pattern/ips`
    applies_to:
      - configmap
      - ingress
    version_min: "1.4"
    example: ['whitelist: "192.168.1.0/24, 192.168.2.100"']
  - title: allow-list
    type: IPs/CIDRs or pattern file
    group: access-control
    dependencies: ""
    default: ""
    description:
      - Blocks all IP addresses except the whitelisted ones (annotation value).
    tip:
      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
    values:
      - Comma-separated list of IP addresses and/or CIDR ranges
      - Path to a pattern file, e.g. `pattern/ips`
    applies_to:
      - configmap
      - ingress
    version_min: "1.11"
    example: ['allow-list: "192.168.1.0/24, 192.168.2.100"']
  - title: tls-alpn
    type: string
    group: https
    dependencies: ""
    default: "h2,http/1.1"
    description:
      - Define the TLS ALPN extension advertisement. This will change the alpn advertisement for the https frontend when ssl is enabled.
    tip:
      - To disable HTTP/2 over https, simply use a value like "http/1.1" for this annotation
    values:
      - Comma-separated list of protocol names to advertise as supported on top of ALPN
    applies_to:
      - configmap
    version_min: "1.7"
    example:
      - "tls-alpn: http/1.1"