Add HAProxy Ingress docs

README.md

@@ -24,7 +24,7 @@
 ## Requirements
 
 - Kubernetes 1.2+
-- Compatible ingress controller (nginx or GCE see [here](#ingress-controllers))
+- Compatible ingress controller (nginx, HAProxy or GCE see [here](#ingress-controllers))
 - Non-production use case :laughing:
 
 ## Usage
@@ -33,6 +33,7 @@
 
 * [GCE](examples/gce/README.md)
 * [nginx controller](examples/nginx/README.md)
+* [HAProxy controller](/examples/haproxy)
 
 The default value of `LEGO_URL` is the Let's Encrypt **staging environment**. If you want to get "real" certificates you have to configure their production env.
 
@@ -88,6 +89,11 @@ Please note:
 - available through image `gcr.io/google_containers/nginx-ingress-controller`
 - fully supports kube-lego from version 0.8 onwards
 
+### [HAProxy Ingress controller](https://github.com/jcmoraisjr/haproxy-ingress)
+
+- available through image `quay.io/jcmoraisjr/haproxy-ingress`
+- fully supports kube-lego from version 0.3 onwards
+
 ### [GCE Loadbalancers](https://github.com/kubernetes/ingress/tree/master/controllers/gce)
 
 - you don't have to maintain the ingress controller yourself, you pay GCE to do that for you
@@ -104,10 +110,12 @@ Please note:
 | `LEGO_URL` | n | `https://acme-staging.api.letsencrypt.org/directory` | URL for the ACME server. To get "real" certificates set to the production API of Let's Encrypt: `https://acme-v01.api.letsencrypt.org/directory` |
 | `LEGO_SECRET_NAME` | n | `kube-lego-account` | Name of the secret in the same namespace that contains ACME account secret |
 | `LEGO_SERVICE_NAME_NGINX` | n | `kube-lego-nginx` | Service name for NGINX ingress |
+| `LEGO_SERVICE_NAME_HAPROXY` | n | `kube-lego-haproxy` | Service name for HAProxy ingress |
 | `LEGO_SERVICE_NAME_GCE` | n | `kube-lego-gce` | Service name for GCE ingress |
-| `LEGO_SUPPORTED_INGRESS_CLASS` | n | `nginx,gce` | Specify the supported ingress class |
-| `LEGO_SUPPORTED_INGRESS_PROVIDER` | n | `nginx,gce` | Specify the supported ingress provider |
+| `LEGO_SUPPORTED_INGRESS_CLASS` | n | `nginx,haproxy,gce` | Specify the supported ingress class |
+| `LEGO_SUPPORTED_INGRESS_PROVIDER` | n | `nginx,haproxy,gce` | Specify the supported ingress provider |
 | `LEGO_INGRESS_NAME_NGINX` | n | `kube-lego-nginx` | Ingress name which contains the routing for HTTP verification for nginx ingress |
+| `LEGO_INGRESS_NAME_HAPROXY` | n | `kube-lego-haproxy` | Ingress name which contains the routing for HTTP verification for HAProxy ingress |
 | `LEGO_PORT` | n | `8080` | Port where this daemon is listening for verifcation calls (HTTP method)|
 | `LEGO_CHECK_INTERVAL` | n | `8h` | Interval for periodically certificate checks (to find expired certs)|
 | `LEGO_MINIMUM_VALIDITY` | n | `720h` (30 days) | Request a renewal when the remaining certificate validity falls below that value|
@@ -121,6 +129,7 @@ Please note:
 ## Full deployment examples
 
 - [Nginx Ingress Controller](examples/nginx/)
+- [HAProxy Ingress controller](/examples/haproxy)
 - [GCE Load Balancers](examples/gce/)
 
 ## Troubleshooting

examples/haproxy/README.md

@@ -0,0 +1,36 @@
+# kube-lego example
+
+This document demonstrates how to deploy kube-lego to the
+[HAProxy Ingress](https://github.com/jcmoraisjr/haproxy-ingress) controller.
+
+## Deploy the Ingress controller
+
+Follow the [deployment instructions](https://github.com/kubernetes/ingress/tree/master/examples/deployment/haproxy)
+including the deployment of the optional web app for testing.
+
+## Deploy kube-lego
+
+The following instruction will create the kube-lego deployment on it's own namespace.
+Be aware that kube-lego creates it's related service on its own.
+
+* Change `LEGO_EMAIL` to your email address
+* Uncomment `LEGO_URL` to use the production API
+
+```console
+kubectl create ns kube-lego
+kubectl create -f deployment.yaml
+```
+
+## Enable kube-lego in the testing application
+
+This will add a TLS secret name and tls-acme annotation to the ingress resource created
+in the deployment instruction.
+
+* Change both `echo.example.com` to the public domain of your Ingress controller
+
+```console
+kubectl replace -f app-ingress.yaml
+```
+
+The `app-tls` secret and the https url should be updated. Check the log output of
+HAProxy Ingress and kube-lego pods if this doesn't happen.

examples/haproxy/app-ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: app
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.class: "haproxy"
+spec:
+  tls:
+  - hosts:
+    - echo.example.com
+    secretName: app-tls
+  rules:
+  - host: echo.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: http-svc
+          servicePort: 8080

examples/haproxy/lego-deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-lego
+  namespace: kube-lego
+spec:
+  selector:
+    matchLabels:
+      app: kube-lego
+  template:
+    metadata:
+      labels:
+        app: kube-lego
+    spec:
+      containers:
+      - name: kube-lego
+        ## HAProxy support isn't on the stable release yet!
+        image: jetstack/kube-lego:canary
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+        env:
+        ## Use HAProxy Ingress
+        - name: LEGO_DEFAULT_INGRESS_CLASS
+          value: haproxy
+        ## Specify your email address
+        - name: LEGO_EMAIL
+          value: [email protected]
+        ## Uncomment LEGO_URL to use the production API - default is to use staging
+        # - name: LEGO_URL
+        #   value: https://acme-v01.api.letsencrypt.org/directory
+        - name: LEGO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LEGO_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 1