major(ingress): Migrate hel1 to ha-proxy controller

Most ingresses annotations should be work with small changes.

values/system/hel1/hubble-ui-ingress.yaml

@@ -2,13 +2,11 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
     oceanbox.io/expose: internal
   name: hubble-ui
   namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
     - host: hubble.hel1.oceanbox.io
       http:
@@ -26,13 +24,11 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
-    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k
     oceanbox.io/expose: internal
   name: hubble-ui-oauth2-proxy
   namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
     - host: hubble.hel1.oceanbox.io
       http:

values/system/hel1/kyverno/whitelist-internal-ingresses.yaml

@@ -14,9 +14,8 @@ metadata:
       whitelist to the already existing ones
 spec:
   mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or
   rules:
-  - name: ensure-nginx-whitelist-exists
+  - name: ensure-haproxy-allowlist-exists
     skipBackgroundRequests: true
     match:
       resources:
@@ -28,8 +27,8 @@ spec:
       patchStrategicMerge:
         metadata:
           annotations:
-            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
-  - name: append-existing-whitelist
+            +(haproxy.org/allow-list): ""
+  - name: append-existing-haproxy-allowlist
     skipBackgroundRequests: true
     match:
       resources:
@@ -39,7 +38,7 @@ spec:
           oceanbox.io/expose: internal
     preconditions:
       any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
         operator: NotEquals
         value: ""
     mutate:
@@ -47,9 +46,9 @@ spec:
         metadata:
           annotations:
             {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            haproxy.org/allow-list: "{{`{{ @ }}`}},{{ join "," . }}"
             {{- end }}
-  - name: add-nginx-whitelist
+  - name: add-haproxy-allowlist
     skipBackgroundRequests: true
     match:
       resources:
@@ -59,7 +58,7 @@ spec:
           oceanbox.io/expose: internal
     preconditions:
       any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
         operator: Equals
         value: ""
     mutate:
@@ -67,7 +66,6 @@ spec:
         metadata:
           annotations:
             {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            haproxy.org/allow-list: "{{ join "," . }}"
             {{- end }}
 {{- end }}
-