Fluxheim 1.5.11

Fluxheim 1.5.11 Release Notes

Fluxheim 1.5.11 starts the service-discovery and control-plane integration
line.

Planned Scope

• Add one or more bounded discovery adapters such as Kubernetes, Consul, or
  xDS after local DNS/file discovery and runtime backend mutation are stable.
• Keep discovery changes inside clear authentication/trust boundaries, churn
  limits, safe fallback behavior, status visibility, audit/metrics events, and
  reload behavior.
• Do not add UDP/GSLB, WAF, VPN/firewall appliance behavior, or
  Wasm/iRules/Lua scripting in this release.

Changed

• Updated Fluxheim and the vendored pingora-core metrics dependency from
  Prometheus 0.13 to Prometheus 0.14.
• Moved the transitive protobuf dependency from vulnerable 2.x to protobuf
  3.7.2 through the Prometheus update.
• Removed the obsolete RUSTSEC-2024-0437 suppression from cargo audit,
  cargo deny, and release metadata validation.
• Kept Pingora pinned at =0.8.0 so normal dependency refreshes cannot bypass
  Fluxheim's patched vendored Pingora core.
• Hardened downstream HTTP/2 defaults against the HTTP/2 Bomb class by capping
  decoded request header lists at 64 KiB per stream, capping remotely initiated
  concurrent streams at 32 per connection, and defaulting downstream write
  timeout to 30 seconds.
• Added bounded pull-based HTTP upstream discovery for load-balancer pools using
  proxy.upstreams_http_url, optional bearer-token authentication, 64 KiB
  response limits, 2-64 unique authority validation, and 1-300 second refresh
  intervals.
• Added discovery runtime status to load-balancer admin and ops-socket output:
  mode, refresh enablement, update frequency, success/failure counters, last
  success/failure timestamps, and a bounded last-error field.
• Added bounded load-balancer metric events for background discovery refresh
  success and failure, labeled with the existing vhost/route pool identity.
• Hardened reload classification for load-balancer services so static pool
  membership, route-local pools, file/DNS/HTTP discovery sources, refresh
  intervals, and HTTP discovery bearer-token files require the process-upgrade
  path instead of a live snapshot reload.
• Hardened HTTP discovery fetches by advertising Accept: application/json and
  Cache-Control: no-store, rejecting non-JSON Content-Type values when
  present, and rejecting empty or whitespace-bearing bearer-token files before
  constructing the Authorization header.
• Added examples/load-balancer-http-discovery.toml as a minimal
  control-plane-backed load-balancer example.
• Refreshed load-balancer migration boundary documentation so runtime
  add/remove/update behavior, local runtime-state persistence, and HTTP
  discovery limits match the current 1.5.x implementation.
• Hardened HTTP discovery bearer-token handling by zeroizing Fluxheim's
  formatted Authorization header copy after request construction, and checked
  the discovered-upstream cap before allocating the rejected entry.

Checksums And Signatures

• Commit: aa417b684a5d1c833c8f01ea982c3b9718128463
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 3a44841bc833dea32122f2cccaf983d0d9ed42afb4cf9aaaeba767bf84563b86 fluxheim-1.5.11.tar.gz
  • 52ff8f1ab73c9e57196717e934f902ca7c81e7c233bfa66800db35d203cb6451 fluxheim-1.5.11.zip
• Binary checksums:
  • x86_64:
    • c47e3e7258b6bf1dbba2fb813f6bf979a7d59d2efee24d98b676358eb001386a fluxheim-1.5.11-full-x86_64-linux.tar.gz
    • 5a9ad6c646f51e80aa379b2df9f7bc3a213fc4232cc318fd2a70dbd57bcd183a fluxheim-1.5.11-cache-x86_64-linux.tar.gz
    • 35c8eca2b2739f3bae112793038d5c394f4fcb9b972d8e2e7f8ae0ae58e637c4 fluxheim-1.5.11-proxy-x86_64-linux.tar.gz
    • 15f5428333868b0c740fd4e657281bbb8bd235d9ed0489ebdff911421b67d183 fluxheim-1.5.11-php-x86_64-linux.tar.gz
    • c6e58510eba28768d450460a5919917881e6cfbbd2be77613488728bf01006d2 fluxheim-1.5.11-load-balancer-x86_64-linux.tar.gz
    • 36186de8ea1664e04fc614bb960e92ab2903cc32cf8e89f10737e094f98b3d3b fluxheim-1.5.11-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 22808d817ef75aab2e2f03f13efffb276ea8c8bb7552bd12fac3a55de823d142 fluxheim-1.5.11-full-aarch64-linux.tar.gz
    • 61b0d0b1a49f137963571da23beeb3a87d705018cf6e0461c223d048bdb402cd fluxheim-1.5.11-cache-aarch64-linux.tar.gz
    • 88741ba733b9bc1af31dc25ebf1af67525c47b01a0cde47bcabd339823cc21e3 fluxheim-1.5.11-proxy-aarch64-linux.tar.gz
    • b7bf40f010c8991cd4f2acbb1dfc5266fca20e50c5fc82c740f78159546aca24 fluxheim-1.5.11-php-aarch64-linux.tar.gz
    • 97ad65731ed34323bc736ec944bf50b57f2608685021e314a1ccacba537422f0 fluxheim-1.5.11-load-balancer-aarch64-linux.tar.gz
    • 126c4af7d07cdd153205ca8c9fa5cea88d91dc645020b206994dceb178cded7e fluxheim-1.5.11-config-tester-aarch64-linux.tar.gz
  • macos:
    • fdf06934d133d341cea9a74582457ac701bd508c32d2b4be43fecfce59e4b7a7 fluxheim-1.5.11-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • fluxheim.spdx.json
  • fluxheim.cyclonedx.json
• Reproducible build:
  • 608123b9917d12e59298e2a9c4d5d8341378769bf6f0fe26f0fe68eb3ee79ffa x86_64
  • c15552a51143e8e326461b9023362d23875381ae3e7a80d202c3fbec62302cc2 aarch64
  • 4d700dd4afe20359912c8cc29e1278ee631726bcee83f8852869c5f8c604b598 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:c61639e3af479dd37b66c23be7977e39134b427839a46d2b1f35374948de5c20
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:26497d4990a91c346df035ad37cd00b2c5e73d5b7419a6c7aadef300058a87db
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:62184ea6973648088e9f6a1b13d1f25733b381eb26a887e60b393aff3f81d9a3
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:2c30ecb4c031f5a5b2de66870ebf88eef96a1cd41dfa26c8ead633df18bb6ba2
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1f1d8aaae244beb2b7e0000d77522573e57cff397439f9494581c383f166f99c
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4863f5fd65a5c6cc956de785548264d7de5401ea3e6bc72fbd3594b0d16b7f15
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:c68d26c1c17888beefdf4e2ba9023ec59965390f81ff3f030e711e905e2ab6e6
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:410507f58e19aca9c43552388b25987382cc446b975da3291bb0cd00d2bce1e2
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1b1b832264cb9e83dc320d01778181db8d9318602a77dff22d4e3aaa1c762276
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0574a7775bebbfb70b9a71b8302f6666c623ce1178c21fc549155aa6fe1e4e0b
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:9f4e006a5fbe3fea953bb76dae172758ae5a73e3fdbb3458fba115ea7865de58
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:952d2a8dc20afecffb46853a8feac3561dfa68a9d4565efbaa1ac5c2a1f7009f
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5fda32912ddba305d1703d1c790cf5a50e12a40cf117be23d0a855a08e2c9b1d
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:91ed8ca471838f9ccf1d455af1b7e83b7c6ccc0ecb55fbadb13ac798046cd8b8
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3305e43cfb3d27901ea7ae05b1b6d43cfeadcaf14ff72025c8c9ea16898cda71
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0a764f3fbf5f283c1602d52d6daa8c05e3b0b724bf0d49fc4065202b5f139644
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5713b42a72a1868137c0384a8c4d4890f47307fc811e3915affc2f001336fe37
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6a12b2ad48ee12309950cbcb7eff243a3b2c18e2ca1d4a2c2d7573b12dc5a8ec
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:952bca2ee51f9c0658a8e7fd0c9eb6d4df0912af328fc0e9d2bf84c73c5a4c14
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:81539743ce440cbbb01f79dcc1fbd38a63c6100e449f134b733537f9a6b54ba8
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4