Varnish Controller 7: Practical Upgrades for Modern Varnish Operations

Varnish Controller is the tool we built to help manage Varnish servers at scale. If you’ve ever had to coordinate config changes, VCL deployments, TLS certificates, or cache invalidation across a handful (or a hundred) of Varnish instances, you know how quickly things can get messy. The Controller acts as a central control point; it connects to a lightweight agent on each Varnish server and helps you keep everything in sync.

It’s also designed to make common tasks easier: deploying VCL files, assigning domains, pushing certificates, tracking usage, and more. From managing single clusters to large distributed setups, it gives you better visibility and control.

Version 7 of the Varnish Controller is a significant update. It introduces some major improvements under the hood, and a bunch of features that make everyday operations smoother. If you’re already using the Varnish Controller, some things will work differently (in a good way). If you’re new to it, this version’s a great place to start testing.

Upgrading to Varnish Controller 7

From 6.x to 7.0.0

This is a major release with breaking changes to both the API and VCLI. Automation, scripts, and other tooling may need updates. For full upgrade instructions, visit the Varnish Controller documentation.

• Controller 7 requires Varnish Enterprise 6.0.8r2 or newer.
• Supported PostgreSQL versions: 13–17. PostgreSQL 15+ is strongly recommended due to performance optimizations the Controller can use.
• Back up your database before upgrading to make rollback possible.
• VCLGroups no longer deploy together based on shared files, you need to deploy each group individually.

Upgrade order:

1. Upgrade Brainz, API-GW, VCLI, UI, and NATS.
2. Upgrade and restart all agents (they will terminate during the upgrade).
3. Upgrade and restart Traffic Routers.

Key Changes in Version 7

Backend Improvements

The Controller's database layer has been rebuilt for performance and efficiency. This reduces PostgreSQL load and improves responsiveness. Also:

• Now built using version 1.24 of the Go programming language.
• Older Linux versions like Ubuntu Xenial, Debian Buster, and CentOS 7 are no longer supported.

Git-Managed VCL Deployments

You can now deploy VCL files directly from Git. Define a repo, set a branch, and the Varnish Controller will track and deploy updates automatically. This works well for teams using Git in CI/CD pipelines and reduces the need for manual file uploads.

This can be configured in the Controller UI or using the VCLI commands below:

Native File Versioning

Because we support Git, which is a version control system, we now also support file versioning for manual deployments: each file can now hold multiple immutable versions. You can track, compare, and roll back changes cleanly.

Versioning of VCL files can be managed in the Controller UI or using the VCLI commands below:

This helps with auditing and stability, especially in larger environments.

TagSets for VCLGroups

Old-style deployments have been replaced with TagSets, which let you apply multiple tag combinations to VCLGroups and match them to the right agents.

This simplifies targeting VCL deployments by environment, location, or other criteria.

Here’s an example of assigning TagSets using the VCLI, however this is also configurable in the Controller UI:

Independent VCLGroup Deployments

In previous versions of the Varnish Controller, VCLGroups sharing files could trigger unwanted redeployments. In version 7, groups are completely independent. This means you:

• Deploy each group explicitly.
• Avoid side effects during updates.

You can also enable track-latest to always use the most recent file or Git commit. Here’s how you do this using a VCLI command:

Deploy Logs and Rollbacks

Each deployment is logged, and rollback is supported as long as the group is not tracking latest.

Useful for quickly undoing changes or investigating what was deployed.

Long-Lived API Tokens

You can now create API tokens that stay valid for extended periods—ideal for automation and integration with other tools.

Long-Lived API Tokens can only be created using the VCLI. Here’s an example:

Tokens can also be assigned custom roles with specific permissions.

ACME TLS Support

Varnish Controller 7 adds support for the ACME protocol, allowing automated generation and renewal of TLS certificates (e.g., with Let's Encrypt).

• Supports DNS and HTTP challenges.
• Can generate wildcard certificates.
• Subject Alternative Names are now properly handled.

Here’s a VCLI example that creates an TLS certificate for the “example.com” domain name using the ACME protocol:

TLS certificates, both manual and ACME-issued, can also be configured in the Controller UI.

Append Domains to VCLGroups

You can now append new domains to an existing VCLGroup without replacing the entire list.

Here’s how you can add a domain to a VCLGroup using a simple VCLI command, but this can of course also be managed in the Controller UI:

This simplifies ongoing updates, especially in multi-tenant setups.

Summary

Varnish Controller 7 is a practical upgrade focused on improving how you manage and automate multi-node Varnish environments. It brings:

• Better performance and backend stability
• Native Git and version tracking for VCL
• Easier rollbacks and clearer deployment behavior
• TLS automation with support for the ACME protocol
• Support for long-lived API tokens
• Simpler upgrade paths with clear instructions

If you're running Varnish Enterprise at scale or in production, this version helps make the day-to-day work easier, more predictable, and easier to integrate into modern workflows.

See the full Changelog. For full upgrade instructions, visit the Varnish Controller documentation.