apiVersion: v1 kind: Namespace metadata: name: ingress-shim annotations: wildcard-tls.kn8v.com/copy: "true" --- apiVersion: v1 kind: ConfigMap metadata: name: "haproxy-server" namespace: "ingress-shim" data: haproxy.cfg: | global log stdout format raw local0 stats timeout 30s user haproxy group haproxy defaults log global mode http option httplog option dontlognull balance source timeout connect 5000 timeout client 50000 timeout server 50000 http-reuse never option disable-h2-upgrade frontend http80 bind *:80 http-request capture req.hdr(Host) len 255 http-request redirect scheme https frontend https443 bind *:443 ssl crt /ssl-tmp/tls.pem http-request capture req.hdr(Host) len 255 http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes frontend proxy4443 bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy http-request capture req.hdr(Host) len 255 http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes backend httpnodes option forwardfor server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check frontend stats mode http option httplog bind *:8404 http-request capture req.hdr(X-Forwarded-For) len 64 http-request capture req.hdr(Host) len 255 stats enable stats uri / stats refresh 10s stats admin if LOCALHOST --- apiVersion: apps/v1 kind: Deployment metadata: name: "haproxy-server" namespace: "ingress-shim" annotations: "reloader.stakater.com/auto": "true" spec: replicas: 1 selector: matchLabels: app: "haproxy-server" strategy: type: RollingUpdate template: metadata: labels: app: "haproxy-server" spec: initContainers: - name: combine-certs command: ["bash", "-c"] args: - | cat /ssl/tls.crt /ssl/tls.key > /ssl-tmp/tls.pem image: debian:11 volumeMounts: - mountPath: /ssl name: ssl - mountPath: /ssl-tmp name: ssl-tmp containers: - image: haproxy:latest name: haproxy volumeMounts: - mountPath: /usr/local/etc/haproxy/haproxy.cfg name: config subPath: haproxy.cfg - mountPath: /ssl name: ssl - mountPath: /ssl-tmp name: ssl-tmp ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 4443 name: proxys protocol: TCP - containerPort: 8404 name: stats protocol: TCP restartPolicy: Always volumes: - name: config configMap: name: "haproxy-server" - name: ssl secret: secretName: wildcard-tls optional: false - name: ssl-tmp emptyDir: medium: Memory sizeLimit: 5Mi --- apiVersion: v1 kind: Service metadata: name: "haproxy-server" namespace: "ingress-shim" annotations: metallb.universe.tf/allow-shared-ip: 172.16.17.80 metallb.universe.tf/loadBalancerIPs: 172.16.17.80 spec: allocateLoadBalancerNodePorts: true externalTrafficPolicy: Local internalTrafficPolicy: Local ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: http-80 port: 80 protocol: TCP targetPort: http - name: https-443 port: 443 protocol: TCP targetPort: https - name: https-4443 port: 4443 protocol: TCP targetPort: proxys - name: https-8404 port: 8404 protocol: TCP targetPort: stats selector: app: "haproxy-server" type: LoadBalancer