End to end TLS encryption with external HAProxy

[domian-piotr]

Hi,
I'm asking for help with end to end encryption with external HAProxy. Going forward with https://www.haproxy.com/blog/run-the-haproxy-kubernetes-ingress-controller-outside-of-your-kubernetes-cluster/
I connect it to my cluster. Ofc I added service mesh Linkerd and everything is ready to use.
I wanna encrypt my communication between client and HAProxy and from HAProxy to mTLS inside mesh.
So according to documentation: https://linkerd.io/2.12/tasks/using-ingress/#haproxy I did everything written in the documentation and applied it to my cluster configuration (in this case Ingress Resource).
Unfortunately provided solution doesn't work for external HAProxy Ingress Controller.
Does anyone know how to configure Ingress Resource or HAProxy Ingress Controller to work with Linkerd?
I know I can add SSL on haproxy.cfg and set my path to certificates to encrypt incoming traffic, but I wanna Linkerd to secure this incoming communication from clients, not HAProxy.

[mateiidavid]

Linkerd works well with any ingress controller as long as they have a pod inside of the cluster. Linkerd handles mainly East-to-West traffic; for that to happen, HAProxy needs to be inside the cluster as well. At the moment, you cannot inject an external process with the proxy.

A workaround would be to have some sort of a pod that can be injected with the sidecar proxy at the edge of your cluster. Ideally, requests would flow from this intermediate hop. Linkerd would be able to mTLS that.