charts/bitnami/haproxy

Bitnami package for HAProxy

HAProxy is a TCP proxy and a HTTP reverse proxy. It supports SSL termination and offloading, TCP and HTTP normalization, traffic regulation, caching and protection against DDoS attacks.

Overview of HAProxy

Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

TL;DR

helm install my-release oci://registry-1.docker.io/bitnamicharts/haproxy

Looking to use HAProxy in production? Try VMware Tanzu Application Catalog, the commercial edition of the Bitnami catalog.

⚠️ Important Notice: Upcoming changes to the Bitnami Catalog

Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new Bitnami Secure Images initiative. As part of this transition:

• Granting community users access for the first time to security-optimized versions of popular container images.
• Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes
• Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
• For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support.

These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the Bitnami Secure Images announcement.

Introduction

Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.

This chart bootstraps a HAProxy Deployment in a Kubernetes cluster using the Helm package manager.

Prerequisites

• Kubernetes 1.23+
• Helm 3.8.0+

Installing the Chart

To install the chart with the release name my-release:

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/haproxy

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The command deploys haproxy on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip

: List all releases using helm list

Configuration and installation details

Resource requests and limits

Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.

To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcesPreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

Configure HAProxy

By default, HAProxy is deployed with a sample, non-functional, configuration. You will need to edit the following values to adapt it to your use case:

• Set the configuration to be injected in the haproxy.cfg file by changing the configuration parameter. Alternatively, you can provide an existing ConfigMap with haproxy.cfg by using the existingConfigmap parameter.

  The example below configures HAProxy to forward all requests to port 8080 to a service called service1:8080 (it is assumed that this is accessible from inside the cluster).

  configuration: |
    global
      log 127.0.0.1 local2
      maxconn 4096
  
    defaults
      mode http
      log global
      option httplog
      option dontlognull
      option http-server-close
      option forwardfor except 127.0.0.0/8
      option redispatch
      retries 3
      timeout http-request 20s
      timeout queue 1m
      timeout connect 10s
      timeout client 1m
      timeout server 1m
      timeout http-keep-alive 30s
      timeout check 10s
      maxconn 3000
  
    frontend fe_http
      option forwardfor except 127.0.0.1
      option httpclose
      bind *:8080
      default_backend be_http
  
    backend be_http
      balance roundrobin
      server nginx service:8080 check port 8080
  

• Based on your HAProxy configuration, edit the containerPorts and service.ports parameters. In the containerPorts parameter, set all the ports that the HAProxy configuration uses, and in the service.ports parameter, set the ports to be externally exposed.

  For the example above, the configuration would look like this:

  service:
    - name: http
      port: 80 # We use port 80 in the service
      targetPort: http
  
  containerPorts:
    - name: http
      containerPort: 8080
  

Backup and restore

To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. Find the instructions for using Velero in this guide.

Add extra environment variables

To add extra environment variables (useful for advanced operations like custom init scripts), use the extraEnvVars property.

extraEnvVars:
  - name: LOG_LEVEL
    value: error

Alternatively, use a ConfigMap or a Secret with the environment variables. To do so, use the extraEnvVarsCM or the extraEnvVarsSecret values.

Use Sidecars and Init Containers

If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the sidecars config parameter.

sidecars:
- name: your-image-name
  image: your-image
  imagePullPolicy: Always
  ports:
  - name: portname
    containerPort: 1234

If these sidecars export extra ports, extra port definitions can be added using the service.extraPorts parameter (where available), as shown in the example below:

service:
  extraPorts:
  - name: extraPort
    port: 11311
    targetPort: 11311

NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the --enable-metrics=true parameter at deployment time. The sidecars parameter should therefore only be used for any extra sidecar containers.

If additional init containers are needed in the same pod, they can be defined using the initContainers parameter. Here is an example:

initContainers:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
      - name: portname
        containerPort: 1234

Learn more about sidecar containers and init containers.

Set Pod affinity

This chart allows you to set custom Pod affinity using the affinity parameter. Find more information about Pod affinity in the Kubernetes documentation.

As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the podAffinityPreset, podAntiAffinityPreset, or nodeAffinityPreset parameters.

Parameters

Global parameters

Name	Description	Value
global.imageRegistry	Global Docker image registry	""
global.imagePullSecrets	Global Docker registry secret names as an array	[]
global.defaultStorageClass	Global default StorageClass for Persistent Volume(s)	""
global.storageClass	DEPRECATED: use global.defaultStorageClass instead	""
global.security.allowInsecureImages	Allows skipping image verification	false
global.compatibility.openshift.adaptSecurityContext	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)	auto

Common parameters

Name	Description	Value
kubeVersion	Override Kubernetes version	""
nameOverride	String to partially override common.names.fullname	""
fullnameOverride	String to fully override common.names.fullname	""
commonLabels	Labels to add to all deployed objects	{}
commonAnnotations	Annotations to add to all deployed objects	{}
clusterDomain	Kubernetes cluster domain name	cluster.local
extraDeploy	Array of extra objects to deploy with the release	[]
deploymentAnnotations	Annotations to add to the deployment	{}
diagnosticMode.enabled	Enable diagnostic mode (all probes will be disabled and the command will be overridden)	false
diagnosticMode.command	Command to override all containers in the deployment	["sleep"]
diagnosticMode.args	Args to override all containers in the deployment	["infinity"]

Traffic Exposure Parameters

Name	Description	Value
service.type	haproxy service type	LoadBalancer
service.ports	List of haproxy service ports	[]
service.clusterIP	haproxy service Cluster IP	""
service.loadBalancerIP	haproxy service Load Balancer IP	""
service.loadBalancerSourceRanges	haproxy service Load Balancer sources	[]
service.externalTrafficPolicy	haproxy service external traffic policy	Cluster
service.externalIPs	External IPs	[]
service.annotations	Additional custom annotations for haproxy service	{}
service.sessionAffinity	Session Affinity for Kubernetes service, can be "None" or "ClientIP"	None
service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
service.labels	Additional custom labels for haproxy service	{}
networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
networkPolicy.allowExternal	Don't require server label for connections	true
networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}
ingress.enabled	Enable ingress record generation for haproxy	false
ingress.pathType	Ingress path type	ImplementationSpecific
ingress.apiVersion	Force Ingress API version (automatically detected if not set)	""
ingress.hostname	Default host for the ingress record	haproxy.local
ingress.path	Default path for the ingress record	/
ingress.annotations	Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.	{}
ingress.tls	Enable TLS configuration for the host defined at ingress.hostname parameter	false
ingress.selfSigned	Create a TLS secret for this ingress record using self-signed certificates generated by Helm	false
ingress.extraHosts	An array with additional hostname(s) to be covered with the ingress record	[]
ingress.extraPaths	An array with additional arbitrary paths that may need to be added to the ingress under the main host	[]
ingress.extraTls	TLS configuration for additional hostname(s) to be covered with this ingress record	[]
ingress.secrets	Custom TLS certificates as secrets	[]
ingress.ingressClassName	IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)	""
ingress.extraRules	Additional rules to be covered with this ingress record	[]
terminationGracePeriodSeconds	Seconds HAProxy pod needs to terminate gracefully	""

HAProxy Parameters

Name	Description	Value
image.registry	HAProxy image registry	REGISTRY_NAME
image.repository	HAProxy image repository	REPOSITORY_NAME/haproxy
image.digest	HAProxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag	""
image.pullPolicy	HAProxy image pull policy	IfNotPresent
image.pullSecrets	HAProxy image pull secrets	[]
replicaCount	Number of haproxy replicas to deploy	1
startupProbe.enabled	Enable startupProbe on haproxy nodes	false
startupProbe.initialDelaySeconds	Initial delay seconds for startupProbe	15
startupProbe.periodSeconds	Period seconds for startupProbe	10
startupProbe.timeoutSeconds	Timeout seconds for startupProbe	5
startupProbe.failureThreshold	Failure threshold for startupProbe	5
startupProbe.successThreshold	Success threshold for startupProbe	1
livenessProbe.enabled	Enable livenessProbe on haproxy nodes	true
livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	15
livenessProbe.periodSeconds	Period seconds for livenessProbe	10
livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
livenessProbe.failureThreshold	Failure threshold for livenessProbe	5
livenessProbe.successThreshold	Success threshold for livenessProbe	1
readinessProbe.enabled	Enable readinessProbe on haproxy nodes	true
readinessProbe.initialDelaySeconds	Initial delay seconds for readinessProbe	15
readinessProbe.periodSeconds	Period seconds for readinessProbe	10
readinessProbe.timeoutSeconds	Timeout seconds for readinessProbe	5
readinessProbe.failureThreshold	Failure threshold for readinessProbe	5
readinessProbe.successThreshold	Success threshold for readinessProbe	1
customStartupProbe	Custom startupProbe that overrides the default one	{}
customLivenessProbe	Custom livenessProbe that overrides the default one	{}
customReadinessProbe	Custom readinessProbe that overrides the default one	{}
resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).	nano
resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
podSecurityContext.enabled	Enabled haproxy pods' Security Context	true
podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
podSecurityContext.fsGroup	Set haproxy pod's Security Context fsGroup	1001
containerSecurityContext.enabled	Enabled containers' Security Context	true
containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
containerSecurityContext.runAsUser	Set containers' Security Context runAsUser	1001
containerSecurityContext.runAsGroup	Set containers' Security Context runAsGroup	1001
containerSecurityContext.runAsNonRoot	Set container's Security Context runAsNonRoot	true
containerSecurityContext.privileged	Set container's Security Context privileged	false
containerSecurityContext.readOnlyRootFilesystem	Set container's Security Context readOnlyRootFilesystem	true
containerSecurityContext.allowPrivilegeEscalation	Set container's Security Context allowPrivilegeEscalation	false
containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
containerSecurityContext.seccompProfile.type	Set container's Security Context seccomp profile	RuntimeDefault
pdb.create	Enable a Pod Disruption Budget creation	true
pdb.minAvailable	Minimum number/percentage of pods that should remain scheduled	""
pdb.maxUnavailable	Maximum number/percentage of pods that may be made unavailable	""
autoscaling.enabled	Enable Horizontal POD autoscaling for HAProxy	false
autoscaling.minReplicas	Minimum number of HAProxy replicas	1
autoscaling.maxReplicas	Maximum number of HAProxy replicas	11
autoscaling.targetCPU	Target CPU utilization percentage	50
autoscaling.targetMemory	Target Memory utilization percentage	50
command	Override default container command (useful when using custom images)	[]
args	Override default container args (useful when using custom images)	[]
automountServiceAccountToken	Mount Service Account token in pod	false
hostAliases	haproxy pods host aliases	[]
podLabels	Extra labels for haproxy pods	{}
podAnnotations	Annotations for haproxy pods	{}
podAffinityPreset	Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
podAntiAffinityPreset	Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
nodeAffinityPreset.type	Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
nodeAffinityPreset.key	Node label key to match. Ignored if affinity is set	""
nodeAffinityPreset.values	Node label values to match. Ignored if affinity is set	[]
configuration	haproxy configuration	""
containerPorts	List of container ports to enable in the haproxy container	[]
existingConfigmap	configmap with HAProxy configuration	""
affinity	Affinity for haproxy pods assignment	{}
nodeSelector	Node labels for haproxy pods assignment	{}
tolerations	Tolerations for haproxy pods assignment	[]
schedulerName	Name of the k8s scheduler (other than default)	""
topologySpreadConstraints	Topology Spread Constraints for pod assignment	[]
updateStrategy.type	haproxy statefulset strategy type	RollingUpdate
priorityClassName	haproxy pods' priorityClassName	""
lifecycleHooks	for the haproxy container(s) to automate configuration before or after startup	{}
extraEnvVars	Array with extra environment variables to add to haproxy nodes	[]
extraEnvVarsCM	Name of existing ConfigMap containing extra env vars for haproxy nodes	""
extraEnvVarsSecret	Name of existing Secret containing extra env vars for haproxy nodes	""
extraVolumes	Optionally specify extra list of additional volumes for the haproxy pod(s)	[]
extraVolumeMounts	Optionally specify extra list of additional volumeMounts for the haproxy container(s)	[]
sidecars	Add additional sidecar containers to the haproxy pod(s)	[]
initContainers	Add additional init containers to the haproxy pod(s)	[]

Other Parameters

Name	Description	Value
serviceAccount.create	Specifies whether a ServiceAccount should be created	true
serviceAccount.name	Name of the service account to use. If not set and create is true, a name is generated using the fullname template.	""
serviceAccount.automountServiceAccountToken	Automount service account token for the server service account	false
serviceAccount.annotations	Annotations for service account. Evaluated as a template. Only used if create is true.	{}
serviceAccount.create	Specifies whether a ServiceAccount should be created	true
serviceAccount.name	The name of the ServiceAccount to use.	""
enableServiceLinks	If set to false, disable Kubernetes service links in the pod spec	true

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set service.type=LoadBalancer \
    oci://REGISTRY_NAME/REPOSITORY_NAME/haproxy

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The above command sets the HAProxy service type as LoadBalancer.

NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/haproxy

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts. Tip: You can use the default values.yaml

Troubleshooting

Find more information about how to deal with common errors related to Bitnami's Helm charts in this troubleshooting guide.

Upgrading

To 2.2.0

This version introduces image verification for security purposes. To disable it, set global.security.allowInsecureImages to true. More details at GitHub issue.

To 1.0.0

This major bump changes the following security defaults:

• runAsGroup is changed from 0 to 1001
• readOnlyRootFilesystem is set to true
• resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
• global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

License

Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.