caddy-0.9.5

Bug Fixes

• Caddy container no longer exits immediately on startup — Dockerfile was missing CMD; the binary printed help text and exited. Added CMD ["run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] to the Dockerfile and matching args to the DaemonSet template so both the image default and the chart are self-consistent.
• Liveness/readiness probes now reach the admin API — admin was bound to localhost and probes used host: localhost, which the kubelet resolves to the node's loopback rather than the pod's. Changed admin.host default to "" (binds 0.0.0.0) and removed the host: override from both probes. Affected all deployments using hostPorts (non-hostNetwork); pods were killed after ~70 s by the failing liveness probe.

Helm chart: 0.9.5

Full diff: caddy-0.9.4...caddy-0.9.5

caddy-0.9.4

New Features

• caddy.ingress/auth-policy annotation — reference a ConfigMap (same namespace) whose handler key contains raw Caddy handler JSON. Injected into the route after the WAF and before the reverse_proxy, enabling caddy-security authorization policies without editing the Caddyfile directly.

Helm chart: 0.9.4

• imagePullSecrets — support private container registries
• affinity — pod affinity/anti-affinity rules
• podSecurityContext — pod-level security context
• securityContext — container-level security context; defaults to NET_BIND_SERVICE + drop all other capabilities
• service.labels — extra labels on the LoadBalancer Service
• Bug fix: podAnnotations was applied to DaemonSet metadata instead of the pod template

Security

• Base image switched from Alpine 3.23 to Chainguard static (Wolfi) — eliminates all OS-level CVEs (16 found by Grype on Alpine: 3 High, 10 Medium, 3 Low in curl, libcrypto3, nghttp2-libs, busybox). Chainguard images are rebuilt daily with automated patching.
• Binary now built with CGO_ENABLED=0 — fully static binary, no libc dependency, runs on any Linux kernel.

Helm chart: 0.9.3

Full diff: caddy-0.9.3...caddy-0.9.4

caddy-0.9.3

Security

• Base image switched from Alpine 3.23 to Chainguard static (Wolfi) — eliminates all OS-level CVEs (16 found by Grype on Alpine: 3 High, 10 Medium, 3 Low in curl, libcrypto3, nghttp2-libs, busybox). Chainguard images are rebuilt daily with automated patching.
• Binary now built with CGO_ENABLED=0 — fully static binary, no libc dependency, runs on any Linux kernel.

Helm chart: 0.9.3

Full diff: caddy-0.9.2...caddy-0.9.3

caddy-0.9.2

Security

• CVE-2026-30836 (CRITICAL) — upgraded github.com/smallstep/certificates from v0.30.0-rc3 to v0.30.0 — unauthenticated certificate issuance via SCEP Update Request
• CVE-2026-33186 (CRITICAL) — upgraded google.golang.org/grpc from v1.79.1 to v1.79.3 — authorization bypass via improper HTTP/2 path validation
• CVE-2026-22184 (HIGH) — added apk upgrade --no-cache in Docker final stage to patch zlib 1.3.1-r2 → 1.3.2-r0 (buffer overflow in untgz utility)

Helm chart: 0.9.2

Bug Fixes

• WAF: OWASP CRS rules were never loaded — wafHandler() in caddy-k8s was missing the three mandatory Include directives (@coraza.conf-recommended, @crs-setup.conf.example, @owasp_crs/*.conf). load_owasp_crs: true only makes the virtual paths available; without the Includes, zero CRS rules were evaluated on any Ingress with caddy.ingress/waf: on.
• WAF: SecRuleEngine ordering fixed — In both caddy-k8s and the Helm Caddyfile snippet, SecRuleEngine was placed before the CRS Includes. Since @coraza.conf-recommended resets it to DetectionOnly, our On override must come after all Includes.

Helm chart: 0.9.1

Versions track the ingress-caddy image. The Helm chart version is independent
but its appVersion always matches the image version.

Full diff: caddy-0.9.1...caddy-0.9.2

caddy-0.9.1

What's Changed

Bug Fixes

• fix: correct SecRuleEngine ordering in Caddyfile WAF snippet; docs for per-Ingress WAF rules (a4f9212)

Full diff: caddy-0.9.0...caddy-0.9.1

caddy-0.9.0

What's Changed

Features

• feat: introduce image versioning — ingress-caddy 1.0.0 (caa0664)

Full diff: caddy-0.8.2...caddy-0.9.0

caddy-0.8.2

What's Changed

Other

• chore: release 0.8.2 — fix chart-releaser config and doc corrections (b9f3d9b)

Full diff: caddy-0.8.1...caddy-0.8.2

caddy-0.8.1

What's Changed

Other

• chore: release 0.8.1 — rename to ingress-caddy, IngressClass caddy (58d0c5f)
• chore: rename IngressClass caddy-custom → caddy (55d8222)
• chore: rename repo caddy-custom → ingress-caddy (54e25a5)

Full diff: caddy-0.8.0...caddy-0.8.1

caddy-0.8.0

What's Changed

Features

• feat: add access_log, request/response header annotation support in Helm chart (5b4efd2)

Other

• chore: rename IngressClass caddy-custom → caddy (55d8222)
• chore: rename repo caddy-custom → ingress-caddy (54e25a5)
• chore: release 0.8.0 — access logging and header annotations (7e30a3d)

Full diff: caddy-0.7.0...caddy-0.8.0

caddy-0.7.0

What's Changed

Features

• feat: annotation-driven TLS model with caddy.ingress/tls handler declaration (04231c4)
• feat: add list/watch secrets permission for spec.tls support (631c980)

Other

• chore: release 0.7.0 — TLS model overhaul and per-Ingress annotations (b0abd71)
• refactor: remove k8sIngress.enabled — ingress controller is always on (ed4e891)

Full diff: caddy-0.6.0...caddy-0.7.0