r/k8s-controller: Deploy HAProxy

The _haproxy_ role only installs HAProxy and provides some basic global configuration; it expects another role to depend on it and provide concrete proxy configuration with drop-in configuration files. Thus, we need a role specifically for the Kubernetes control plane nodes to provide the configuration to proxy for the API server.
2025-07-22 09:52:19 -05:00 · 2025-07-22 09:52:19 -05:00 · 727bd178c0
parent fd155aab49
commit 727bd178c0
4 changed files with 69 additions and 3 deletions
--- a/kubernetes.yml
+++ b/kubernetes.yml
@ -1,9 +1,8 @@
 - hosts: k8s-controller
  roles:
-  - role: keepalived
+  - role: k8s-controller
    tags:
-    - keepalived
-  - role: kubelet
+    - k8s-controller

 - hosts: k8s-node
  roles:
--- a/roles/k8s-controller/meta/main.yml
+++ b/roles/k8s-controller/meta/main.yml
@ -0,0 +1,8 @@
+dependencies:
+- role: kubelet
+- role: keepalived
+  tags:
+  - keepalived
+- role: haproxy
+  tags:
+  - haproxy
--- a/roles/k8s-controller/tasks/main.yml
+++ b/roles/k8s-controller/tasks/main.yml
@ -0,0 +1,43 @@
+# SELinux prevents HAProxy (haproxy_t) from reading the Kubernetes root
+# CA certificate file (kubernetes_file_t).  Changing the policy to
+# allow it would be overly permissive, so we make a private copy of the
+# file for HAproxy to use.
+- name: ensure haproxy has a copy of kubernetes ca certificate
+  copy:
+    src: /etc/kubernetes/pki/ca.crt
+    dest: /etc/haproxy/kube-root-ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+    setype: etc_t
+    remote_src: true
+  tags:
+  - haproxy
+  - ca-cert
+- name: ensure haproxy is configured for kubernetes apiserver
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/40-apiserver.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
+  - haproxy
+  notify: reload haproxy
+- name: ensure haproxy can connect to kubernetes apiserver port
+  seboolean:
+    name: haproxy_connect_any
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure haproxy is running
+  service:
+    name: haproxy
+    state: started
+  tags:
+  - service
--- a/roles/k8s-controller/templates/haproxy.cfg.j2
+++ b/roles/k8s-controller/templates/haproxy.cfg.j2
@ -0,0 +1,16 @@
+listen apiserver
+    mode tcp
+    bind *:443,:::443 v6only
+
+    option tcplog
+
+    balance roundrobin
+
+    option httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
+    http-check expect status 200
+
+{% for server in groups["k8s-controller"] %}
+    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
+{% endfor %}