Merge pull request 'major(ingress): Migrate hel1 to ha-proxy controller' (#192) from mrtz/ha into main

Reviewed-on: #192

charts/atlantis/Chart.yaml

@@ -4,10 +4,10 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.5.2
+version: v2.5.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.5.2
+appVersion: v2.5.3
 dependencies:
   - name: diagrid-dashboard
     version: "0.1.0"

charts/atlantis/values.yaml

@@ -4,7 +4,7 @@
 replicaCount: 1
 image:
   repository: git.oceanbox.io/oceanbox/poseidon/atlantis
-  tag: v2.5.2
+  tag: v2.5.3
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/codex/Chart.yaml

@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v2.5.2
+version: v2.5.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v2.5.2"
+appVersion: "v2.5.3"

charts/codex/values.yaml

@@ -10,7 +10,7 @@ image:
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: v2.5.2
+  tag: v2.5.3
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets:
   - name: gitlab-pull-secret

charts/docs/values.yaml

@@ -47,7 +47,7 @@ service:
   port: 8080
 ingress:
   enabled: true
-  className: nginx
+  className: haproxy
 persistence:
   enabled: false
   size: 1G

charts/makai/values.yaml

@@ -47,7 +47,7 @@ service:
   port: 8080
 ingress:
   enabled: true
-  className: nginx
+  className: haproxy
 persistence:
   enabled: false
   size: 1G

charts/sorcerer/Chart.yaml

@@ -4,10 +4,10 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.5.2
+version: v2.5.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.5.2
+appVersion: v2.5.3
 dependencies:
   - name: diagrid-dashboard
     version: "0.1.0"

charts/sorcerer/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: git.oceanbox.io/oceanbox/poseidon/sorcerer
-  tag: v2.5.2
+  tag: v2.5.3
   pullPolicy: IfNotPresent
 init:
   enabled: false

helmfile.d/argo.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: argocd
   namespace: argocd
   chart: argo/argo-cd
-  version: 9.5.2
+  version: 9.5.4
   condition: argo.enabled
   values:
   - ../values/argo/values/argocd.yaml.gotmpl
@@ -43,7 +43,7 @@ releases:
 - name: argo-workflows
   namespace: argocd
   chart: argo/argo-workflows
-  version: 1.0.10
+  version: 1.0.13
   condition: argo.workflows.enabled
   missingFileHandler: Info
 - name: manifests

helmfile.d/ingress-haproxy.yaml.gotmpl

@@ -0,0 +1,44 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: haproxytech
+  oci: true
+  url: 'ghcr.io/haproxytech/helm-charts'
+
+commonLabels:
+  tier: system
+
+releases:
+- name: ingress-haproxy
+  namespace: ingress-haproxy
+  chart: haproxytech/kubernetes-ingress
+  version: 1.42.0
+  condition: haproxy.enabled
+  values:
+  - ../values/ingress-haproxy/values/ingress-haproxy.yaml.gotmpl
+  - ../values/ingress-haproxy/values/ingress-haproxy-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/ingress-haproxy/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: ingress-haproxy
+  chart: manifests
+  condition: haproxy.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/ingress-haproxy/env.yaml.gotmpl
+  - ../values/ingress-haproxy/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/ingress-haproxy/manifests
+    - manifests

helmfile.d/kyverno.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: kyverno
   namespace: kyverno
   chart: kyverno/kyverno
-  version: 3.7.1
+  version: 3.7.2
   condition: kyverno.enabled
   values:
   - ../values/kyverno/values/kyverno.yaml.gotmpl

helmfile.d/loki.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: loki
   namespace: loki
   chart: loki/loki
-  version: 6.55.0
+  version: 7.0.0
   condition: loki.enabled
   values:
   - ../values/loki/values/loki.yaml.gotmpl

helmfile.d/opentelemetry-collector.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: opentelemetry-collector
   namespace: otel
   chart: open-telemetry/opentelemetry-collector
-  version: 0.150.1
+  version: 0.152.0
   condition: otel.enabled
   values:
   - ../values/opentelemetry-collector/values/values.yaml

helmfile.d/spegel.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: spegel
   namespace: spegel
   chart: spegel/spegel
-  version: 0.7.0
+  version: 0.6.0
   condition: spegel.enabled
   values:
   - ../values/spegel/values/spegel.yaml.gotmpl

helmfile.d/umami.yaml.gotmpl

@@ -14,7 +14,7 @@ releases:
 - name: umami
   namespace: analytics
   chart: umami/umami
-  version: 7.7.20
+  version: 7.8.2
   condition: umami.enabled
   values:
   - ../values/umami/values/values.yaml

helmfile.d/x509-exporter.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: x509-exporter
   namespace: x509-exporter
   chart: x509-exporter/x509-certificate-exporter
-  version: 3.20.1
+  version: 3.21.0
   condition: x509_exporter.enabled
   values:
   - ../values/x509-exporter/values/x509-exporter.yaml.gotmpl

values/atlantis/kustomize/staging/actor-config.yaml

@@ -3,7 +3,7 @@ kind: ConfigMap
 metadata:
   name: staging-atlantis-actor-config
 data:
-  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.8"
+  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.12"
   XTRACT_QUEUE: "dev-queue"
-  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.8"
+  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.12"
   PLUME_QUEUE: "dev-queue"

values/atlantis/values/values-staging.yaml.gotmpl

@@ -1,7 +1,7 @@
 replicaCount: 1
 image:
   repository: git.oceanbox.io/oceanbox/poseidon/atlantis
-  tag: 5d810716-debug
+  tag: ea26ac41-debug
 podAnnotations:
   dapr.io/app-id: "staging-atlantis"
 env:

values/attic/manifests/ingress.yaml

@@ -3,17 +3,14 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/timeout-server: 600s
   labels:
     app.kubernetes.io/component: attic
   name: attic
   namespace: attic
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
   - host: attic.srv.oceanbox.io
     http:

values/docs/values/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "ea8cf7dc-debug"
+  tag: "f040ed60-debug"
 env:
   - name: APP_VERSION
     value: "0.0.0"
@@ -8,13 +8,11 @@ env:
     value: "1"
 ingress:
   enabled: true
-  className: "nginx"
+  className: "haproxy"
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-enable: "true"
     oceanbox.io/expose: internal
   hosts:
     - host: docs.oceanbox.io

values/gatus/manifests/ingress.yaml

@@ -3,17 +3,15 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: ca-issuer
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type, x-gatus-cache
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-allow-headers: Content-Type, x-gatus-cache
+    haproxy.org/cors-enable: "true"
   labels:
     app.kubernetes.io/name: gatus
   name: gatus
   namespace: uptime
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
     - host: uptime.adm.hel1.obx
       http:
@@ -24,7 +22,7 @@ spec:
                 port:
                   number: 80
             path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
   tls:
     - hosts:
         - uptime.adm.hel1.obx

values/gitea/values/values.yaml

@@ -135,15 +135,12 @@ gitea:
 
 ingress:
   enabled: true
-  className: nginx
+  className: haproxy
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12,185.125.160.4/32,37.27.203.38/32
+    haproxy.org/backend-protocol: h1
+    haproxy.org/timeout-server: 600s
+    haproxy.org/allow-list: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12,185.125.160.4/32,37.27.203.38/32
   hosts:
     - host: git.oceanbox.io
       paths:

values/ingress-haproxy/env-hel1.yaml.gotmpl

@@ -0,0 +1,15 @@
+haproxy:
+  enabled: true
+  autosync: true
+  pdb:
+    minAvailable: 1
+  resources:
+    controller:
+      cpu: "100m"
+      memory: "100Mi"
+  annotations:
+    load-balancer.hetzner.cloud/http-redirect-http: "true"
+    load-balancer.hetzner.cloud/location: hel1
+    load-balancer.hetzner.cloud/name: load-balancer-1
+    load-balancer.hetzner.cloud/type: lb11
+    load-balancer.hetzner.cloud/use-private-ip: "true"

values/ingress-haproxy/env.yaml.gotmpl

@@ -0,0 +1,10 @@
+haproxy:
+  enabled: false
+  autosync: true
+  pdb:
+    minAvailable: 1
+  resources:
+    controller:
+      cpu: "100m"
+      memory: "100Mi"
+  annotations: []

values/ingress-haproxy/manifests/ingress-haproxy.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-haproxy
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  destination:
+    namespace: ingress-haproxy
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+        - name: CLUSTER_NAME
+          value: {{ .Values.clusterConfig.cluster }}
+        - name: HELMFILE_ENVIRONMENT
+          value: default
+        - name: HELMFILE_FILE_PATH
+          value: ingress-haproxy.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.haproxy.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}

values/ingress-haproxy/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: ingress-haproxy
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - host
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+{{- end }}

values/ingress-haproxy/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-traffic
+  namespace: ingress-haproxy
+spec:
+  egress:
+    - toFQDNs:
+        - matchPattern: hubble.*.*.*
+        - matchPattern: hubble.*.*.*.*
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+{{- end }}

values/ingress-haproxy/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: ingress-haproxy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: ingress-haproxy
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "1024"
+              protocol: TCP
+{{- end }}

values/ingress-haproxy/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-haproxy.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-to-ingress-haproxy
+  namespace: ingress-haproxy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+  ingress:
+    - fromEntities:
+        - world
+    - toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
+{{- end }}

values/ingress-haproxy/values/ingress-haproxy.yaml.gotmpl

@@ -0,0 +1,98 @@
+## HAProxy Kubernetes Ingress Controller configuration
+## Ref: https://www.haproxy.com/documentation/kubernetes-ingress/
+##
+controller:
+  resources:
+    requests:
+      cpu: {{ .Values.haproxy.resources.controller.cpu }}
+      memory: {{ .Values.haproxy.resources.controller.memory }}
+
+  ingressClass: haproxy
+
+  ingressClassResource:
+    name: haproxy
+    default: true
+
+  config:
+    body-size: "0"
+    tune.bufsize: "131072"
+
+  tolerations:
+   - key: unschedulable
+     operator: Exists
+     effect: NoSchedule
+   - key: node-role.kubernetes.io/control-plane
+     operator: Exists
+     effect: NoSchedule
+
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/hostname
+            operator: In
+            values: {{ .Values.clusterConfig.ingress_nodes }}
+
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/instance
+            operator: In
+            values:
+            - ingress-haproxy
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+            - kubernetes-ingress
+        topologyKey: "kubernetes.io/hostname"
+
+  replicaCount: {{ .Values.clusterConfig.ingress_replica_count }}
+
+  PodDisruptionBudget:
+    enable: true
+    minAvailable: {{ .Values.haproxy.pdb.minAvailable }}
+
+  service:
+  {{- if .Values.clusterConfig.ingress_loadbalancer }}
+    type: LoadBalancer
+    {{- if .Values.clusterConfig.ingress_nodeport }}
+    nodePorts:
+      http: 30080
+      https: 30443
+    {{- end }}
+  {{- else if .Values.clusterConfig.ingress_nodeport }}
+    type: NodePort
+    externalTrafficPolicy: Local
+    nodePorts:
+      http: 30080
+      https: 30443
+  {{- else }}
+    type: ClusterIP
+  {{- end }}
+    annotations:
+      {{- with .Values.haproxy.annotations }}
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+
+  hostNetwork: {{ .Values.clusterConfig.ingress_hostnetwork }}
+
+  hostPorts:
+    enable: {{ .Values.clusterConfig.ingress_hostport }}
+    http: 80
+    https: 443
+
+  stats:
+    enabled: true
+
+  prometheus:
+    enabled: true
+    port: 1024
+    service:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "1024"
+
+  serviceMonitor:
+    enabled: true

values/ingress-nginx/env-hel1.yaml.gotmpl

@@ -1,5 +1,5 @@
 nginx:
-  enabled: true
+  enabled: false
   autosync: true
   pdb:
     minAvailable: 1

values/makai/values/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "ad49e745-debug"
+  tag: "1c9c91a9-debug"
 env:
   - name: APP_VERSION
     value: "0.0.0"
@@ -8,13 +8,11 @@ env:
     value: "1"
 ingress:
   enabled: true
-  className: "nginx"
+  className: "haproxy"
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-enable: "true"
     oceanbox.io/expose: internal
   hosts:
     - host: makai.oceanbox.io

values/system/hel1/hubble-ui-ingress.yaml

@@ -2,13 +2,11 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
     oceanbox.io/expose: internal
   name: hubble-ui
   namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
     - host: hubble.hel1.oceanbox.io
       http:
@@ -26,13 +24,11 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
-    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k
     oceanbox.io/expose: internal
   name: hubble-ui-oauth2-proxy
   namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
   rules:
     - host: hubble.hel1.oceanbox.io
       http:

values/system/hel1/kyverno/whitelist-internal-ingresses.yaml

@@ -14,9 +14,8 @@ metadata:
       whitelist to the already existing ones
 spec:
   mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or
   rules:
-  - name: ensure-nginx-whitelist-exists
+  - name: ensure-haproxy-allowlist-exists
     skipBackgroundRequests: true
     match:
       resources:
@@ -28,8 +27,8 @@ spec:
       patchStrategicMerge:
         metadata:
           annotations:
-            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
-  - name: append-existing-whitelist
+            +(haproxy.org/allow-list): ""
+  - name: append-existing-haproxy-allowlist
     skipBackgroundRequests: true
     match:
       resources:
@@ -39,7 +38,7 @@ spec:
           oceanbox.io/expose: internal
     preconditions:
       any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
         operator: NotEquals
         value: ""
     mutate:
@@ -47,9 +46,9 @@ spec:
         metadata:
           annotations:
             {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            haproxy.org/allow-list: "{{`{{ @ }}`}},{{ join "," . }}"
             {{- end }}
-  - name: add-nginx-whitelist
+  - name: add-haproxy-allowlist
     skipBackgroundRequests: true
     match:
       resources:
@@ -59,7 +58,7 @@ spec:
           oceanbox.io/expose: internal
     preconditions:
       any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
         operator: Equals
         value: ""
     mutate:
@@ -67,7 +66,6 @@ spec:
         metadata:
           annotations:
             {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            haproxy.org/allow-list: "{{ join "," . }}"
             {{- end }}
 {{- end }}
-