apiVersion: v1 kind: Namespace metadata: name: ingress-shim annotations: wildcard-tls.kn8v.com/copy: "true" --- apiVersion: v1 kind: ConfigMap metadata: name: "haproxy-server" namespace: "ingress-shim" data: haproxy.cfg: | global log stdout format raw local0 stats timeout 30s user haproxy group haproxy defaults log global mode http option httplog option dontlognull balance source timeout connect 5000 timeout client 50000 timeout server 50000 http-reuse never option disable-h2-upgrade frontend http80 bind *:80 http-request capture req.hdr(Host) len 255 http-request redirect scheme https frontend https443 bind *:443 ssl crt /ssl-tmp/tls.pem http-request capture req.hdr(Host) len 255 http-request set-header X-Forwarded-Proto https http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes frontend rtmp1935 bind *:1935 mode tcp default_backend wertube1935 frontend proxy4443 bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy http-request capture req.hdr(Host) len 255 http-request set-header X-Forwarded-Proto https http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes backend wertube1935 mode tcp balance leastconn server s1 peertube-werts.peertube-werts.svc:1935 check backend httpnodes option forwardfor #server s1 istio-ingressgateway.istio-system.svc.cluster.local:443 check ssl verify none #server s2 172.16.17.5:443 check ssl verify none # USE THE FRONTING PROXY PORT IN HAPROXY-INGRESS server s1 172.16.17.82:81 check frontend stats mode http option httplog bind *:8404 http-request capture req.hdr(X-Forwarded-For) len 64 http-request capture req.hdr(Host) len 255 stats enable stats uri / stats refresh 10s stats admin if LOCALHOST --- # This is a daemonset so that we can use local traffic policies. # The whole point of this pod is to gather and preserve client IPs # so local traffic policies are a must (kube-proxy will change the # origin IP). apiVersion: apps/v1 kind: DaemonSet metadata: name: "haproxy-server" namespace: "ingress-shim" annotations: "reloader.stakater.com/auto": "true" spec: selector: matchLabels: app: "haproxy-server" template: metadata: labels: app: "haproxy-server" spec: terminationGracePeriodSeconds: 0 initContainers: - name: combine-certs command: ["bash", "-c"] args: - | cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem image: debian:11 volumeMounts: - mountPath: /ssl name: ssl - mountPath: /ssl-tmp name: ssl-tmp containers: - image: haproxy:latest name: haproxy volumeMounts: - mountPath: /usr/local/etc/haproxy/haproxy.cfg name: config subPath: haproxy.cfg - mountPath: /ssl name: ssl - mountPath: /ssl-tmp name: ssl-tmp ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 1935 name: rtmp protocol: TCP - containerPort: 4443 name: proxys protocol: TCP - containerPort: 8404 name: stats protocol: TCP restartPolicy: Always volumes: - name: config configMap: name: "haproxy-server" - name: ssl secret: secretName: wildcard-tls optional: false - name: ssl-tmp emptyDir: medium: Memory sizeLimit: 5Mi --- apiVersion: v1 kind: Service metadata: name: "haproxy-server" namespace: "ingress-shim" annotations: metallb.universe.tf/allow-shared-ip: 172.16.17.80 metallb.universe.tf/loadBalancerIPs: 172.16.17.80 spec: allocateLoadBalancerNodePorts: true # PRESERVE CLIENT IPS! THIS IS THE WHOLE POINT! externalTrafficPolicy: Local internalTrafficPolicy: Local ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: http-80 port: 80 protocol: TCP targetPort: http - name: rtmp-1935 port: 1935 protocol: TCP targetPort: rtmp - name: https-443 port: 443 protocol: TCP targetPort: https - name: https-4443 port: 4443 protocol: TCP targetPort: proxys - name: https-8404 port: 8404 protocol: TCP targetPort: stats selector: app: "haproxy-server" type: LoadBalancer