Yes, the ip-per-service thing is a PITA 
I don’t actually terminate SSL on HAProxy BTW, its primary functions are:
-
To allow me to use “real world” ports (like 443) while still using (free) NodePorts (30000+) in the cluster, and…
-
“finding” my cluster nodes IPs for NodePort, which have unpredictable IP addresses
D