From c7374c8cca4afb0a272e8256aa3179db95b2c482 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 22 Jul 2025 09:52:19 -0500 Subject: [PATCH] r/k8s-controller: Deploy HAProxy The _haproxy_ role only installs HAProxy and provides some basic global configuration; it expects another role to depend on it and provide concrete proxy configuration with drop-in configuration files. Thus, we need a role specifically for the Kubernetes control plane nodes to provide the configuration to proxy for the API server. --- group_vars/k8s-controller.yml | 9 +++++ kubernetes.yml | 5 +-- roles/k8s-controller/meta/main.yml | 8 ++++ roles/k8s-controller/tasks/main.yml | 38 +++++++++++++++++++ roles/k8s-controller/templates/haproxy.cfg.j2 | 16 ++++++++ 5 files changed, 73 insertions(+), 3 deletions(-) create mode 100644 roles/k8s-controller/meta/main.yml create mode 100644 roles/k8s-controller/tasks/main.yml create mode 100644 roles/k8s-controller/templates/haproxy.cfg.j2 diff --git a/group_vars/k8s-controller.yml b/group_vars/k8s-controller.yml index c048893..ae75c43 100644 --- a/group_vars/k8s-controller.yml +++ b/group_vars/k8s-controller.yml @@ -21,3 +21,12 @@ vrrp_instance: track_process { kube-apiserver } + +kube_root_ca_pem: >- + {{ lookup( + "kubernetes.core.k8s", + kind="ConfigMap", + namespace="kube-public", + resource_name="kube-root-ca.crt" + ).data["ca.crt"] + }} diff --git a/kubernetes.yml b/kubernetes.yml index d658f9e..4fb5dff 100644 --- a/kubernetes.yml +++ b/kubernetes.yml @@ -1,9 +1,8 @@ - hosts: k8s-controller roles: - - role: keepalived + - role: k8s-controller tags: - - keepalived - - role: kubelet + - k8s-controller - hosts: k8s-node roles: diff --git a/roles/k8s-controller/meta/main.yml b/roles/k8s-controller/meta/main.yml new file mode 100644 index 0000000..7c50d45 --- /dev/null +++ b/roles/k8s-controller/meta/main.yml @@ -0,0 +1,8 @@ +dependencies: +- role: kubelet +- role: keepalived + tags: + - keepalived +- role: haproxy + tags: + - haproxy diff --git a/roles/k8s-controller/tasks/main.yml b/roles/k8s-controller/tasks/main.yml new file mode 100644 index 0000000..1b1eb1b --- /dev/null +++ b/roles/k8s-controller/tasks/main.yml @@ -0,0 +1,38 @@ +- name: ensure haproxy has a copy of kubernetes ca certificate + copy: + dest: /etc/haproxy/kube-root-ca.crt + content: '{{ kube_root_ca_pem }}' + owner: root + group: root + mode: u=rw,go=r + setype: etc_t + tags: + - haproxy + - ca-cert +- name: ensure haproxy is configured for kubernetes apiserver + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/conf.d/40-apiserver.cfg + mode: u=rw,go=r + tags: + - config + - haproxy-config + - haproxy + notify: reload haproxy +- name: ensure haproxy can connect to kubernetes apiserver port + seboolean: + name: haproxy_connect_any + state: true + persistent: true + tags: + - selinux + +- name: flush handlers + meta: flush_handlers + +- name: ensure haproxy is running + service: + name: haproxy + state: started + tags: + - service diff --git a/roles/k8s-controller/templates/haproxy.cfg.j2 b/roles/k8s-controller/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..fba80ec --- /dev/null +++ b/roles/k8s-controller/templates/haproxy.cfg.j2 @@ -0,0 +1,16 @@ +listen apiserver + mode tcp + bind *:443,:::443 v6only + + option tcplog + + balance roundrobin + + option httpchk + http-check connect ssl + http-check send meth GET uri /healthz + http-check expect status 200 + +{% for server in groups["k8s-controller"] %} + server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt +{% endfor %}