x509 auth needs to go through nginx load balancer

[npmaile]

at some point code that looks roughly like this needs to be deployed to get nginx load balancing in front of the x509

echo "Creating Gate x509 API Service for deployment named sandbox-us-central1"
cat <<SVC_EOF | kubectl --kubeconfig="/spinnaker/.kube/sandbox-us-central1.config" apply -f -
apiVersion: v1
kind: Service
metadata:
  labels:
    app: spin
    cluster: spin-gate
  name: spin-gate-spin-api
  namespace: spinnaker
spec:
  ports:
  - name: x509
    port: 8085
    protocol: TCP
    targetPort: 8085
  selector:
    app: spin
    cluster: spin-gate
  type: ClusterIP
SVC_EOF

echo "Creating Gate x509 API Ingress for deployment named sandbox-us-central1"
cat <<ING_EOF | kubectl --kubeconfig="/spinnaker/.kube/sandbox-us-central1.config" apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  labels:
    app: spin
    cluster: spin-gate
  name: spin-gate-spin-api
  namespace: spinnaker
spec:
  rules:
  - host: spin-api.spinnaker.example.com
    http:
      paths:
      - backend:
          serviceName: spin-gate-spin-api
          servicePort: 8085
        path: /
  tls:
  - hosts:
    - spin-api.spinnaker.example.com
ING_EOF

thanks to @dmrogers7 for finding the code that will do it.