How to Install HAProxy Ingress Controller on PCE 4.x in AWS

Here are instructions to installing HAProxy ingress controller on PCE 4.x, including how to setup the config map and getting websockets to work in AWS.

1) Create a namespace for HAProxy. In this example, we will use "core-pass-ingress"

kubectl create ns core-pass-ingress

2) Create the following file haproxy-tcp-configmap.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services-configmap
  namespace: core-paas-ingress  # Same namespace as controller for simplicity
data:
  "8083": "core-paas/nginx-wss-service:8083"  # incoming-port: namespace/service:service-port
  "8889": "core-paas/nginx-wss-service:8889"

Then run:

kubectl create -f haproxy-tcp-configmap.yaml

3) Create the following file haproxy-ingress-values.yaml:

controller:
  service:
    type: LoadBalancer
    # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: '3'
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: '30'
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: '10253'
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: HTTP
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: '10'
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: '3'
      service.beta.kubernetes.io/aws-load-balancer-name: <your NLB name> #change this
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
      service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses: <your private IP address 1>, <your private IP address 2>, <your private IP address 3> #change this
      service.beta.kubernetes.io/aws-load-balancer-scheme: internal
      service.beta.kubernetes.io/aws-load-balancer-subnets: <your AWS subnet 1>, <your AWS subnet 2>, <your AWS subnet 3> #change this
      service.beta.kubernetes.io/aws-load-balancer-type: nlb


    # Expose custom TCP ports on the LoadBalancer service
    tcpPorts:
      - name: auth-proxy
        port: 8083
        targetPort: 8083
        protocol: TCP
      - name: wss8889
        port: 8889
        targetPort: 8889
        protocol: TCP

# Reference the TCP services ConfigMap (created separately below)
  extraArgs:
    - --configmap-tcp-services=core-paas-ingress/tcp-services-configmap

Note the values with "#change this" need to be changed according to your setup.

Then run the command:

helm repo add haproxytech https://haproxytech.github.io/helm-charts
helm repo update

helm install haproxy-ingress haproxytech/kubernetes-ingress --create-namespace --namespace core-paas-ingress -f haproxy-ingress-values.yaml

4) Create the file haproxy-ingress.yaml and populate with the following:

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service-proxy
  namespace: core-paas-ingress
spec:
  type: ExternalName
  externalName: nginx-service.core-paas.svc.cluster.local
  ports:
  - name: https
    port: 443

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: haproxy-ingress
  namespace: core-paas-ingress
  annotations:
    # Enable SSL Passthrough (routes TLS directly to backend without termination)
    kubernetes.io/ingress.class: haproxy  # Or use ingressClassName: haproxy if preferred
    haproxy.org/ssl-passthrough: "true"  # Official annotation for passthrough
spec:
  ingressClassName: haproxy  # Recommended modern way
  tls:
  - hosts:
    - anypoint.your-org.com #change this
    secretName: your-tls-secret #change this
  rules:
  - host: anypoint.your-org.com #change this
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service-proxy
            port:
              number: 443

Note the values to change from the above marked as "#change this".

Then run the following command:

kubectl create -f haproxy-ingress.yaml