Strange that you see no option for client certs because that has been supported from day one. In addition we even support SNI-based client auth even with wildcard certs. Same for TLS versions and cipher suites.
Further, just look at https://istlsfastyet.com/ and you'll see that haproxy, H2O and nghttpx are the only 3 implementations checking everything (and haproxy was the one inventing dynamic record sizing).
So it seems your opinion on haproxy's TLS support is not that spread!
I don't know as I have no use for it. Just check the article, it presents some of the things done with the ingress controller, it should answer some of your questions I guess.
Further, just look at https://istlsfastyet.com/ and you'll see that haproxy, H2O and nghttpx are the only 3 implementations checking everything (and haproxy was the one inventing dynamic record sizing).
So it seems your opinion on haproxy's TLS support is not that spread!