r/k8s-controller: Deploy HAProxy

The _haproxy_ role only installs HAProxy and provides some basic global configuration; it expects another role to depend on it and provide concrete proxy configuration with drop-in configuration files. Thus, we need a role specifically for the Kubernetes control plane nodes to provide the configuration to proxy for the API server.
2025-07-22 09:52:19 -05:00 · 2025-07-22 09:52:19 -05:00 · c7374c8cca
parent 381ffe7112
commit c7374c8cca
5 changed files with 73 additions and 3 deletions
--- a/group_vars/k8s-controller.yml
+++ b/group_vars/k8s-controller.yml
@ -21,3 +21,12 @@ vrrp_instance:
    track_process {
        kube-apiserver
    }
+
+kube_root_ca_pem: >-
+  {{ lookup(
+    "kubernetes.core.k8s",
+    kind="ConfigMap",
+    namespace="kube-public",
+    resource_name="kube-root-ca.crt"
+    ).data["ca.crt"]
+  }}
--- a/kubernetes.yml
+++ b/kubernetes.yml
@ -1,9 +1,8 @@
 - hosts: k8s-controller
  roles:
-  - role: keepalived
+  - role: k8s-controller
    tags:
-    - keepalived
-  - role: kubelet
+    - k8s-controller

 - hosts: k8s-node
  roles:
--- a/roles/k8s-controller/meta/main.yml
+++ b/roles/k8s-controller/meta/main.yml
@ -0,0 +1,8 @@
+dependencies:
+- role: kubelet
+- role: keepalived
+  tags:
+  - keepalived
+- role: haproxy
+  tags:
+  - haproxy
--- a/roles/k8s-controller/tasks/main.yml
+++ b/roles/k8s-controller/tasks/main.yml
@ -0,0 +1,38 @@
+- name: ensure haproxy has a copy of kubernetes ca certificate
+  copy:
+    dest: /etc/haproxy/kube-root-ca.crt
+    content: '{{ kube_root_ca_pem }}'
+    owner: root
+    group: root
+    mode: u=rw,go=r
+    setype: etc_t
+  tags:
+  - haproxy
+  - ca-cert
+- name: ensure haproxy is configured for kubernetes apiserver
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/40-apiserver.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
+  - haproxy
+  notify: reload haproxy
+- name: ensure haproxy can connect to kubernetes apiserver port
+  seboolean:
+    name: haproxy_connect_any
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure haproxy is running
+  service:
+    name: haproxy
+    state: started
+  tags:
+  - service
--- a/roles/k8s-controller/templates/haproxy.cfg.j2
+++ b/roles/k8s-controller/templates/haproxy.cfg.j2
@ -0,0 +1,16 @@
+listen apiserver
+    mode tcp
+    bind *:443,:::443 v6only
+
+    option tcplog
+
+    balance roundrobin
+
+    option httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
+    http-check expect status 200
+
+{% for server in groups["k8s-controller"] %}
+    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
+{% endfor %}