openshift · jcmoraisjr · Jun 19, 2026 · jcmoraisjr · Jun 19, 2026
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/operator/v1/types_ingresscontroller.go b/operator/v1/types_ingresscontroller.go
@@ -385,6 +385,42 @@ type IngressControllerSpec struct {
 	// +kubebuilder:default:="Continue"
 	// +default="Continue"
 	ClosedClientConnectionPolicy IngressControllerClosedClientConnectionPolicy `json:"closedClientConnectionPolicy,omitempty"`
+
+	// haproxyOCPVersion specifies the OCP release whose default HAProxy version
+	// should be applied to this IngressController.
+	//
+	// For example, selecting "5.0" will configure the IngressController to use
+	// the default HAProxy version shipped with OCP 5.0.
+	//
+	// Valid values depend on the current OpenShift release:
+	//   - Unset (default): Use the default HAProxy version from the current
+	//     OpenShift release (the most recent version available)
+	//   - "X.Y": Use the default HAProxy version from OpenShift release X.Y
+	//
+	// OpenShift releases that introduce a new HAProxy minor version become available
+	// as pinnable versions in subsequent OpenShift releases, providing a smooth
+	// migration path for administrators who want to defer HAProxy upgrades.
+	//
+	// Releases that introduce a new HAProxy minor version support three values:
+	// unset (latest), the current version (to pin), and the previous pinnable
+	// version. For example, OCP 5.0 introduces HAProxy 3.2, making "5.0" pinnable
+	// until the next OpenShift release introducing a new HAProxy minor version
+	// (inclusive). Unset and the current version use the same HAProxy image;
+	// specifying the current version explicitly pins the version during cluster
+	// upgrades.
+	//
+	// Releases that do not introduce a new HAProxy minor version support two values:
+	// unset (latest) and the previous pinnable version. For example, OCP 5.1 remains
+	// on HAProxy 3.2 (same minor as 5.0), so it supports unset and "5.0" only.
+	//
+	// If a specific OCP version is set and would become unsupported in a target
+	// cluster upgrade, the ingress ClusterOperator's Upgradeable condition will
+	// be set to False, blocking the cluster upgrade until this field is updated
+	// to unset or a supported version.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
+	HAProxyOCPVersion OCPVersion `json:"haproxyOCPVersion,omitempty"`
 }
 
 // httpCompressionPolicy turns on compression for the specified MIME types.
@@ -2218,6 +2254,23 @@ type IngressControllerStatus struct {
 	// routeSelector is the actual routeSelector in use.
 	// +optional
 	RouteSelector *metav1.LabelSelector `json:"routeSelector,omitempty"`
+
+	// effectiveHAProxyOCPVersion reports the OCP release whose default HAProxy
+	// version is currently in use by this IngressController. This reflects the
+	// resolved value of the spec.haproxyOCPVersion field. When omitted, the
+	// effective value has not yet been resolved by the operator or the feature
+	// is not enabled for this cluster.
+	//
+	// Examples:
+	// - "5.0": Using the default HAProxy version from OpenShift 5.0
+	// - "4.22": Using the default HAProxy version from OpenShift 4.22
+	//
+	// The actual HAProxy binary version number is available through HAProxy's
+	// own metrics.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
+	EffectiveHAProxyOCPVersion OCPVersion `json:"effectiveHAProxyOCPVersion,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -2286,3 +2339,12 @@ const (
 	// server's response regardless of the client having closed the connection.
 	IngressControllerClosedClientConnectionPolicyContinue IngressControllerClosedClientConnectionPolicy = "Continue"
 )
+
+// OCPVersion represents an OpenShift release version in "X.Y" format.
+// The value must be between 3 and 8 characters long. It must contain
+// only digits and a single dot separator (for example, "4.22").
+//
+// +kubebuilder:validation:MinLength=3
+// +kubebuilder:validation:MaxLength=8
+// +kubebuilder:validation:XValidation:rule="self.matches(r'^[0-9]+\\.[0-9]+$')",message="OCPVersion must be in X.Y format with only digits and a single dot (for example, '4.22')"
+type OCPVersion string
diff --git a/...zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/...zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml
@@ -892,6 +892,46 @@ spec:
                 required:
                 - type
                 type: object
+              haproxyOCPVersion:
+                description: |-
+                  haproxyOCPVersion specifies the OCP release whose default HAProxy version
+                  should be applied to this IngressController.
+
+                  For example, selecting "5.0" will configure the IngressController to use
+                  the default HAProxy version shipped with OCP 5.0.
+
+                  Valid values depend on the current OpenShift release:
+                    - Unset (default): Use the default HAProxy version from the current
+                      OpenShift release (the most recent version available)
+                    - "X.Y": Use the default HAProxy version from OpenShift release X.Y
+
+                  OpenShift releases that introduce a new HAProxy minor version become available
+                  as pinnable versions in subsequent OpenShift releases, providing a smooth
+                  migration path for administrators who want to defer HAProxy upgrades.
+
+                  Releases that introduce a new HAProxy minor version support three values:
+                  unset (latest), the current version (to pin), and the previous pinnable
+                  version. For example, OCP 5.0 introduces HAProxy 3.2, making "5.0" pinnable
+                  until the next OpenShift release introducing a new HAProxy minor version
+                  (inclusive). Unset and the current version use the same HAProxy image;
+                  specifying the current version explicitly pins the version during cluster
+                  upgrades.
+
+                  Releases that do not introduce a new HAProxy minor version support two values:
+                  unset (latest) and the previous pinnable version. For example, OCP 5.1 remains
+                  on HAProxy 3.2 (same minor as 5.0), so it supports unset and "5.0" only.
+
+                  If a specific OCP version is set and would become unsupported in a target
+                  cluster upgrade, the ingress ClusterOperator's Upgradeable condition will
+                  be set to False, blocking the cluster upgrade until this field is updated
+                  to unset or a supported version.
+                maxLength: 8
+                minLength: 3
+                type: string
+                x-kubernetes-validations:
+                - message: OCPVersion must be in X.Y format with only digits and a
+                    single dot (for example, '4.22')
+                  rule: self.matches(r'^[0-9]+\.[0-9]+$')
               httpCompression:
                 description: |-
                   httpCompression defines a policy for HTTP traffic compression.
@@ -2569,6 +2609,27 @@ spec:
               domain:
                 description: domain is the actual domain in use.
                 type: string
+              effectiveHAProxyOCPVersion:
+                description: |-
+                  effectiveHAProxyOCPVersion reports the OCP release whose default HAProxy
+                  version is currently in use by this IngressController. This reflects the
+                  resolved value of the spec.haproxyOCPVersion field. When omitted, the
+                  effective value has not yet been resolved by the operator or the feature
+                  is not enabled for this cluster.
+
+                  Examples:
+                  - "5.0": Using the default HAProxy version from OpenShift 5.0
+                  - "4.22": Using the default HAProxy version from OpenShift 4.22
+
+                  The actual HAProxy binary version number is available through HAProxy's
+                  own metrics.
+                maxLength: 8
+                minLength: 3
+                type: string
+                x-kubernetes-validations:
+                - message: OCPVersion must be in X.Y format with only digits and a
+                    single dot (for example, '4.22')
+                  rule: self.matches(r'^[0-9]+\.[0-9]+$')
               endpointPublishingStrategy:
                 description: endpointPublishingStrategy is the actual strategy in
                   use.

diff --git a/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -179,6 +179,7 @@ ingresscontrollers.operator.openshift.io:
   Category: ""
   FeatureGates:
   - IngressControllerDynamicConfigurationManager
+  - IngressControllerMultipleHAProxyVersions
   - TLSGroupPreferences
   FilenameOperatorName: ingress
   FilenameOperatorOrdering: "00"