If I were to use it as a k8s ingress, how would I do OCSP stapling? nginx does that for you, but with haproxy you've always had to hack something together to add a .ocsp file (which has to exist at startup) and reload externally.
I also see no option for client certificate auth or TLS versions and cipher suites in the repo.
I guess it's still better to handle TLS outside of haproxy.
Strange that you see no option for client certs because that has been supported from day one. In addition we even support SNI-based client auth even with wildcard certs. Same for TLS versions and cipher suites.
Further, just look at https://istlsfastyet.com/ and you'll see that haproxy, H2O and nghttpx are the only 3 implementations checking everything (and haproxy was the one inventing dynamic record sizing).
So it seems your opinion on haproxy's TLS support is not that spread!
I don't know as I have no use for it. Just check the article, it presents some of the things done with the ingress controller, it should answer some of your questions I guess.
I also see no option for client certificate auth or TLS versions and cipher suites in the repo.
I guess it's still better to handle TLS outside of haproxy.