fix: add haproxy sidecar to prepend PROXY protocol for registry pushes

Routes git.lunarfront.tech:443 through a local haproxy that adds the
PROXY protocol header nginx requires, bypassing the DO LB hairpin.

runner/haproxy-configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-haproxy-config
+  namespace: runner
+data:
+  haproxy.cfg: |
+    global
+      daemon
+      log stdout format raw local0
+
+    defaults
+      mode tcp
+      log global
+      timeout connect 5s
+      timeout client 30s
+      timeout server 30s
+
+    frontend registry
+      bind 0.0.0.0:443
+      default_backend nginx
+
+    backend nginx
+      server nginx ingress-nginx-controller.ingress-nginx.svc.cluster.local:443 send-proxy