[zeeZ]

If I were to use it as a k8s ingress, how would I do OCSP stapling? nginx does that for you, but with haproxy you've always had to hack something together to add a .ocsp file (which has to exist at startup) and reload externally.

I also see no option for client certificate auth or TLS versions and cipher suites in the repo.

I guess it's still better to handle TLS outside of haproxy.

[wtarreau]

Strange that you see no option for client certs because that has been supported from day one. In addition we even support SNI-based client auth even with wildcard certs. Same for TLS versions and cipher suites.

Further, just look at https://istlsfastyet.com/ and you'll see that haproxy, H2O and nghttpx are the only 3 implementations checking everything (and haproxy was the one inventing dynamic record sizing).

So it seems your opinion on haproxy's TLS support is not that spread!

[zeeZ]

I know haproxy itself supports that and have used those features with static configuration, but does the k8s ingress controller out of the box?

[wtarreau]

I don't know as I have no use for it. Just check the article, it presents some of the things done with the ingress controller, it should answer some of your questions I guess.

[bedis9]

Yes, it does. We'll blog about those use cases during the summer.

[bedis9]

As you explained, HAProxy does support OCSP stapling through flat file, but also support it through the runtime API.

v1 of the ingress controller does not update OCSP. That said, this is planed for a next release.

Stay tuned :)