kube-cascade/ingress-shim/deploy.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-shim
  annotations:
    wildcard-tls.kn8v.com/copy: "true"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: "haproxy-server"
  namespace: "ingress-shim"
data:
  haproxy.cfg: |
    global
        log stdout format raw local0
        stats timeout 30s
        user haproxy
        group haproxy

    defaults
        log        global
        mode        http
        option        httplog
        option        dontlognull
        balance source
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        http-reuse never
        option disable-h2-upgrade

    frontend http80
        bind *:80
        http-request capture req.hdr(Host) len 255
        http-request redirect scheme https

    frontend https443
        bind *:443 ssl crt /ssl-tmp/tls.pem
        http-request capture req.hdr(Host) len 255
        http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1
        http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1
        default_backend httpnodes

    frontend proxy4443
        bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy
        http-request capture req.hdr(Host) len 255
        http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1
        http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1
        default_backend httpnodes

    backend httpnodes
        option forwardfor
        server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check

    frontend stats
        mode http
        option httplog
        bind *:8404
        http-request capture req.hdr(X-Forwarded-For) len 64
        http-request capture req.hdr(Host) len 255
        stats enable
        stats uri /
        stats refresh 10s
        stats admin if LOCALHOST
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: "haproxy-server"
  namespace: "ingress-shim"
  annotations: 
    "reloader.stakater.com/auto": "true"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: "haproxy-server"
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: "haproxy-server"
    spec:
      initContainers:
        - name: combine-certs
          command: ["bash", "-c"]
          args:
            - |
              cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem
          image: debian:11
          volumeMounts:
            - mountPath: /ssl
              name: ssl
            - mountPath: /ssl-tmp
              name: ssl-tmp
      containers:
        - image: haproxy:latest
          name: haproxy
          volumeMounts:
            - mountPath: /usr/local/etc/haproxy/haproxy.cfg
              name: config
              subPath: haproxy.cfg
            - mountPath: /ssl
              name: ssl
            - mountPath: /ssl-tmp
              name: ssl-tmp
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
            - containerPort: 443
              name: https
              protocol: TCP
            - containerPort: 4443
              name: proxys
              protocol: TCP
            - containerPort: 8404
              name: stats
              protocol: TCP
      restartPolicy: Always
      volumes:
        - name: config
          configMap:
            name: "haproxy-server"
        - name: ssl
          secret:
            secretName: wildcard-tls
            optional: false
        - name: ssl-tmp
          emptyDir:
            medium: Memory
            sizeLimit: 5Mi
---
apiVersion: v1
kind: Service
metadata:
  name: "haproxy-server"
  namespace: "ingress-shim"
  annotations:
    metallb.universe.tf/allow-shared-ip: 172.16.17.80
    metallb.universe.tf/loadBalancerIPs: 172.16.17.80
spec:
  allocateLoadBalancerNodePorts: true
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http-80
      port: 80
      protocol: TCP
      targetPort: http
    - name: https-443
      port: 443
      protocol: TCP
      targetPort: https
    - name: https-4443
      port: 4443
      protocol: TCP
      targetPort: proxys
    - name: https-8404
      port: 8404
      protocol: TCP
      targetPort: stats
  selector:
    app: "haproxy-server"
  type: LoadBalancer
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: ingress-shim`
			`annotations:`
			`wildcard-tls.kn8v.com/copy: "true"`
			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: "haproxy-server"`
			`namespace: "ingress-shim"`
			`data:`
			`haproxy.cfg: \|`
			`global`
			`log stdout format raw local0`
			`stats timeout 30s`
			`user haproxy`
			`group haproxy`

			`defaults`
			`log global`
			`mode http`
			`option httplog`
			`option dontlognull`
			`balance source`
			`timeout connect 5000`
			`timeout client 50000`
			`timeout server 50000`
			`http-reuse never`
			`option disable-h2-upgrade`

			`frontend http80`
			`bind *:80`
add some request captures to ingress-shim 2023-08-10 22:41:15 +00:00			`http-request capture req.hdr(Host) len 255`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`http-request redirect scheme https`

			`frontend https443`
			`bind *:443 ssl crt /ssl-tmp/tls.pem`
add some request captures to ingress-shim 2023-08-10 22:41:15 +00:00			`http-request capture req.hdr(Host) len 255`
fix regex capture group 2023-08-12 05:32:46 +00:00			`http-response replace-value Location http(://.[.]werts[.]us/.) https\1`
			`http-response replace-value Location http(://.[.]strudelline[.]net/.) https\1`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`default_backend httpnodes`

remove XFF from captured headers (they don't matter) 2023-08-10 23:13:39 +00:00			`frontend proxy4443`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy`
add some request captures to ingress-shim 2023-08-10 22:41:15 +00:00			`http-request capture req.hdr(Host) len 255`
fix regex capture group 2023-08-12 05:32:46 +00:00			`http-response replace-value Location http(://.[.]werts[.]us/.) https\1`
			`http-response replace-value Location http(://.[.]strudelline[.]net/.) https\1`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`default_backend httpnodes`

			`backend httpnodes`
add forwardfor to ingress-shim 2023-08-10 21:57:29 +00:00			`option forwardfor`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check`

			`frontend stats`
			`mode http`
			`option httplog`
			`bind *:8404`
add some request captures to ingress-shim 2023-08-10 22:41:15 +00:00			`http-request capture req.hdr(X-Forwarded-For) len 64`
			`http-request capture req.hdr(Host) len 255`
add ingress shim -- figure out XFF later 2023-07-23 02:03:04 +00:00			`stats enable`
			`stats uri /`
			`stats refresh 10s`
			`stats admin if LOCALHOST`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: "haproxy-server"`
			`namespace: "ingress-shim"`
			`annotations:`
			`"reloader.stakater.com/auto": "true"`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: "haproxy-server"`
			`strategy:`
			`type: RollingUpdate`
			`template:`
			`metadata:`
			`labels:`
			`app: "haproxy-server"`
			`spec:`
			`initContainers:`
			`- name: combine-certs`
			`command: ["bash", "-c"]`
			`args:`
			`- \|`
			`cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem`
			`image: debian:11`
			`volumeMounts:`
			`- mountPath: /ssl`
			`name: ssl`
			`- mountPath: /ssl-tmp`
			`name: ssl-tmp`
			`containers:`
			`- image: haproxy:latest`
			`name: haproxy`
			`volumeMounts:`
			`- mountPath: /usr/local/etc/haproxy/haproxy.cfg`
			`name: config`
			`subPath: haproxy.cfg`
			`- mountPath: /ssl`
			`name: ssl`
			`- mountPath: /ssl-tmp`
			`name: ssl-tmp`
			`ports:`
			`- containerPort: 80`
			`name: http`
			`protocol: TCP`
			`- containerPort: 443`
			`name: https`
			`protocol: TCP`
			`- containerPort: 4443`
			`name: proxys`
			`protocol: TCP`
			`- containerPort: 8404`
			`name: stats`
			`protocol: TCP`
			`restartPolicy: Always`
			`volumes:`
			`- name: config`
			`configMap:`
			`name: "haproxy-server"`
			`- name: ssl`
			`secret:`
			`secretName: wildcard-tls`
			`optional: false`
			`- name: ssl-tmp`
			`emptyDir:`
			`medium: Memory`
			`sizeLimit: 5Mi`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: "haproxy-server"`
			`namespace: "ingress-shim"`
			`annotations:`
			`metallb.universe.tf/allow-shared-ip: 172.16.17.80`
			`metallb.universe.tf/loadBalancerIPs: 172.16.17.80`
			`spec:`
			`allocateLoadBalancerNodePorts: true`
			`externalTrafficPolicy: Local`
			`internalTrafficPolicy: Local`
			`ipFamilies:`
			`- IPv4`
			`ipFamilyPolicy: SingleStack`
			`ports:`
			`- name: http-80`
			`port: 80`
			`protocol: TCP`
			`targetPort: http`
			`- name: https-443`
			`port: 443`
			`protocol: TCP`
			`targetPort: https`
			`- name: https-4443`
			`port: 4443`
			`protocol: TCP`
			`targetPort: proxys`
			`- name: https-8404`
			`port: 8404`
			`protocol: TCP`
			`targetPort: stats`
			`selector:`
			`app: "haproxy-server"`
			`type: LoadBalancer`