r/k8s-controller: Deploy HAProxy

The _haproxy_ role only installs HAProxy and provides some basic global
configuration; it expects another role to depend on it and provide
concrete proxy configuration with drop-in configuration files.  Thus, we
need a role specifically for the Kubernetes control plane nodes to
provide the configuration to proxy for the API server.

roles/k8s-controller/templates/haproxy.cfg.j2

@@ -0,0 +1,16 @@
+listen apiserver
+    mode tcp
+    bind *:443,:::443 v6only
+
+    option tcplog
+
+    balance roundrobin
+
+    option httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
+    http-check expect status 200
+
+{% for server in groups["k8s-controller"] %}
+    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
+{% endfor %}