Skip to content

Releases: taylanbakircioglu/haproxy-openmanager

v1.8.4 — Agent installer self-kill fix

27 Jun 11:15
@github-actions github-actions
v1.8.4
64d4266

Choose a tag to compare

View all tags
v1.8.4 — Agent installer self-kill fix Latest
Latest

Automated release for v1.8.4 (from version.json).

Assets 2
Loading

v1.8.3 — Agent heartbeat JSON fix

25 Jun 12:02
@github-actions github-actions
v1.8.3
27fbe48

Choose a tag to compare

View all tags
v1.8.3 — Agent heartbeat JSON fix

Automated release for v1.8.3 (from version.json).

Loading

v1.8.2 — ACME nonce fix (ZeroSSL registration)

24 Jun 22:44
@github-actions github-actions
v1.8.2
e86e86a

Choose a tag to compare

View all tags
v1.8.2 — ACME nonce fix (ZeroSSL registration)

Automated release for v1.8.2 (from version.json).

Loading

v1.8.1 — ACME DNS-01 fixes (Cloudflare token, EAB, Apply Management)

24 Jun 17:55
@github-actions github-actions
v1.8.1
70ebc02

Choose a tag to compare

View all tags
v1.8.1 — ACME DNS-01 fixes (Cloudflare token, EAB, Apply Management)

Automated release for v1.8.1 (from version.json).

Loading

v1.8.0 — ACME DNS-01 challenge support

23 Jun 23:49
@github-actions github-actions
v1.8.0
c492b26

Choose a tag to compare

View all tags
v1.8.0 — ACME DNS-01 challenge support

Automated release for v1.8.0 (from version.json).

Loading

v1.7.8 — HA/VIP — per-node apply progress

15 Jun 09:52
@taylanbakircioglu taylanbakircioglu
v1.7.8
a1192e6

Choose a tag to compare

View all tags
v1.7.8 — HA/VIP — per-node apply progress

HA/VIP (Keepalived) management from the UI: define and manage virtual IPs and keepalived across nodes, with approval-gated deletion, per-node apply progress, and diagnostics. Includes the 1.7.x follow-up fixes. See #27.

Loading

v1.6.0 — Multi-Factor Authentication

19 May 01:36
@taylanbakircioglu taylanbakircioglu
v1.6.0
bd6a31c

Choose a tag to compare

View all tags
v1.6.0 — Multi-Factor Authentication

v1.6.0 — Multi-Factor Authentication (MFA)

Adds opt-in TOTP-based Multi-Factor Authentication to HAProxy OpenManager. Fully backwards compatible — accounts that don't enable MFA see no change in their login flow.

Highlights

  • TOTP (RFC 6238) — 6 digits, 30s period, ±1 step skew tolerance. Verified end-to-end with Microsoft Authenticator, Google Authenticator, Authy, Duo, 1Password.
  • Backup codes — 10 single-use, bcrypt-hashed codes per user, formatted XXXX-YYYY from a confusion-free alphabet (no 0/O, 1/I, L).
  • Two-step loginPOST /api/auth/login returns mfa_required + mfa_token, then POST /api/auth/login/mfa-verify accepts a TOTP code OR a backup code. JWT is minted only after MFA succeeds.
  • Self-service — users enable / disable MFA from their own row in the Users page. Admins reset (single user or bulk) but never enable on behalf of someone else (matches AWS IAM / GitHub / Google Workspace).
  • Bulk emergency resetscripts/admin-mfa-reset-all.sh for operators recovering from a lost-device incident.

Security

  • Atomic transactions with SELECT … FOR UPDATE so concurrent verify / enroll calls cannot race.
  • Per-step replay protection (mfa_last_used_totp_step).
  • Fernet-encrypted TOTP secrets at rest (MFA_ENCRYPTION_KEY, HKDF-derived from SECRET_KEY as fallback).
  • Re-enrollment refused while MFA is on (prevents silent secret rotation via a stolen JWT).
  • User-aware rate limits with trusted-proxy X-Forwarded-For strategy so a single ingress address cannot exhaust the bucket (MFA_TRUSTED_PROXY_CIDRS, MFA_RATE_LIMIT_*).
  • Login query scoped to is_active = TRUE — closes a small account-enumeration side channel and a re-creation-after-soft-delete edge case.

Database

Additive migrations only (ADD COLUMN IF NOT EXISTS, CREATE TABLE IF NOT EXISTS). Safe to apply on a live cluster:

  • users: mfa_enabled, mfa_method, mfa_secret_encrypted, mfa_enrolled_at, mfa_last_used_at, mfa_last_used_totp_step
  • mfa_backup_codes, mfa_pending_logins, mfa_pending_enrollments (all ON DELETE CASCADE)

Install

docker pull taylanbakircioglu/haproxy-openmanager-backend:1.6.0
docker pull taylanbakircioglu/haproxy-openmanager-frontend:1.6.0

K8s deployment is identical to v1.5.x — image tag bump only. Two new secrets (SECRET_KEY, MFA_ENCRYPTION_KEY) are now placeholder-driven in k8s/manifests/03-secrets.yaml so your pipeline can sed-replace them at apply time.

Upgrading from v1.5.x

TL;DR — only bump your image tags. The cluster's existing backend-secret (with your current SECRET_KEY) is preserved; MFA_ENCRYPTION_KEY is optional and falls back to an HKDF derivation from SECRET_KEY, so MFA works without it.

⚠️ DO NOT re-apply k8s/manifests/03-secrets.yaml verbatim from this release unless your pipeline replaces the placeholders first. The shipped manifest contains secret_key_replace_me / mfa_encryption_key_replace_me; applying it directly would overwrite your existing SECRET_KEY with that literal string and invalidate every active session + all encrypted TOTP secrets.

Recommended upgrade path:

# 1) Bump the image tags (no other manifest changes required)
kubectl set image deployment/haproxy-openmanager-backend  backend=taylanbakircioglu/haproxy-openmanager-backend:1.6.0  -n haproxy-openmanager
kubectl set image deployment/haproxy-openmanager-frontend frontend=taylanbakircioglu/haproxy-openmanager-frontend:1.6.0 -n haproxy-openmanager

Optional — to set an explicit MFA_ENCRYPTION_KEY (recommended for key rotation independence in production):

MFA_KEY=$(python3 -c 'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())')
kubectl patch secret backend-secret -n haproxy-openmanager \
  --type='json' \
  -p="[{\"op\":\"add\",\"path\":\"/stringData/MFA_ENCRYPTION_KEY\",\"value\":\"$MFA_KEY\"}]"
kubectl rollout restart deployment/haproxy-openmanager-backend -n haproxy-openmanager

Documentation

  • README — MFA section (overview, day-to-day operations, env vars, rate-limit tuning).
  • scripts/README.md — emergency bulk reset CLI.

Closes

Future work (not in this release)

  • WebAuthn / Passkeys (Phase 2 — flagged as a stretch goal in #18).
Loading