add ingress shim -- figure out XFF later

ingress-shim/deploy.yaml

@@ -0,0 +1,160 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-shim
+  annotations:
+    wildcard-tls.kn8v.com/copy: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "haproxy-server"
+  namespace: "ingress-shim"
+data:
+  haproxy.cfg: |
+    global
+        log stdout format raw local0
+        stats timeout 30s
+        user haproxy
+        group haproxy
+
+    defaults
+        log        global
+        mode        http
+        option        httplog
+        option        dontlognull
+        balance source
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        http-reuse never
+        option disable-h2-upgrade
+
+    frontend http80
+        bind *:80
+        http-request redirect scheme https
+
+    frontend https443
+        bind *:443 ssl crt /ssl-tmp/tls.pem
+        default_backend httpnodes
+
+    frontend proxy443
+        bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy
+        default_backend httpnodes
+
+    backend httpnodes
+        server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check
+
+    frontend stats
+        mode http
+        option httplog
+        bind *:8404
+        stats enable
+        stats uri /
+        stats refresh 10s
+        stats admin if LOCALHOST
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "haproxy-server"
+  namespace: "ingress-shim"
+  annotations: 
+    "reloader.stakater.com/auto": "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "haproxy-server"
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: "haproxy-server"
+    spec:
+      initContainers:
+        - name: combine-certs
+          command: ["bash", "-c"]
+          args:
+            - |
+              cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem
+          image: debian:11
+          volumeMounts:
+            - mountPath: /ssl
+              name: ssl
+            - mountPath: /ssl-tmp
+              name: ssl-tmp
+      containers:
+        - image: haproxy:latest
+          name: haproxy
+          volumeMounts:
+            - mountPath: /usr/local/etc/haproxy/haproxy.cfg
+              name: config
+              subPath: haproxy.cfg
+            - mountPath: /ssl
+              name: ssl
+            - mountPath: /ssl-tmp
+              name: ssl-tmp
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+            - containerPort: 443
+              name: https
+              protocol: TCP
+            - containerPort: 4443
+              name: proxys
+              protocol: TCP
+            - containerPort: 8404
+              name: stats
+              protocol: TCP
+      restartPolicy: Always
+      volumes:
+        - name: config
+          configMap:
+            name: "haproxy-server"
+        - name: ssl
+          secret:
+            secretName: wildcard-tls
+            optional: false
+        - name: ssl-tmp
+          emptyDir:
+            medium: Memory
+            sizeLimit: 5Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "haproxy-server"
+  namespace: "ingress-shim"
+  annotations:
+    metallb.universe.tf/allow-shared-ip: 172.16.17.80
+    metallb.universe.tf/loadBalancerIPs: 172.16.17.80
+spec:
+  allocateLoadBalancerNodePorts: true
+  externalTrafficPolicy: Local
+  internalTrafficPolicy: Local
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: http-80
+      port: 80
+      protocol: TCP
+      targetPort: http
+    - name: https-443
+      port: 443
+      protocol: TCP
+      targetPort: https
+    - name: https-4443
+      port: 4443
+      protocol: TCP
+      targetPort: proxys
+    - name: https-8404
+      port: 8404
+      protocol: TCP
+      targetPort: stats
+  selector:
+    app: "haproxy-server"
+  type: LoadBalancer