From ce23cead07313bc88622cf77f4ac16e4a2c0d9ca Mon Sep 17 00:00:00 2001
From: Maximilian Linhoff <maximilian.linhoff@cta-observatory.org>
Date: Wed, 25 Mar 2026 12:46:30 +0100
Subject: [PATCH] Add ingress config example for haproxy

---
 charts/rucio-server/Chart.yaml |  2 +-
 charts/rucio-server/README.md  | 50 ++++++++++++++++++++++++++--------
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/charts/rucio-server/Chart.yaml b/charts/rucio-server/Chart.yaml
index ae9c0fdf..761cb6d2 100644
--- a/charts/rucio-server/Chart.yaml
+++ b/charts/rucio-server/Chart.yaml
@@ -1,5 +1,5 @@
 name: rucio-server
-version: 39.0.0
+version: 39.0.1
 apiVersion: v1
 description: A Helm chart to deploy servers for Rucio
 keywords:
diff --git a/charts/rucio-server/README.md b/charts/rucio-server/README.md
index 7ba3d913..5c3dcd54 100644
--- a/charts/rucio-server/README.md
+++ b/charts/rucio-server/README.md
@@ -126,21 +126,47 @@ For the authentication ingress the configuration is a bit different if you want
 to use the x509 certificate authentication in Rucio. In this case the TLS
 connection cannot be terminated by the ingress controller but instead it has to
 be forwarded to the pods so that they can verify the user certificate. You will
-need an ingress controller that supports TLS passthrough. This documentation
-will focus on the nginx ingress controller.
+need an ingress controller that supports TLS passthrough.
+
+This has been tested with the HAProxy Kubernetes Ingress controller and the
+now retired Ingress NGINX.
 
 First, the `service` has to be configured using HTTPS as described above. 
-Then, you can enable passthrough in the ingress definition:
 
-    ingress:
-      enabled: true
-      annotations:
-        kubernetes.io/ingress.class: nginx
-        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-        nginx.ingress.kubernetes.io/ssl-redirect: "true"
-      hosts:
-        - my.rucio-auth.test
-      path: /
+### HAProxy Kubernetes Ingress Controller
+
+```
+rucio-server:
+  useSSL: true
+  ingress:
+    enabled: true
+    ingressClassName: haproxy
+    annotations:
+      haproxy.org/ssl-passthrough: "true"
+    hosts:
+      - my.rucio-auth.test
+    tls:
+      - secretName:  # we use passthrough, so no secret required for ingress
+```
+
+
+### ingress-controller-nginx
+
+Should not be used anymore, for reference:
+
+```
+rucio-server:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    hosts:
+      - my.rucio-auth.test
+    tls:
+      - secretName:  # we use passthrough, so no secret required for ingress
+```
 
 ## httpd config