configpolicy/roles/k8s-controller/templates/haproxy.cfg.j2

listen apiserver
    mode tcp
    bind *:443,:::443 v6only

    option tcplog

    balance roundrobin

    option httpchk
    http-check connect ssl
    http-check send meth GET uri /healthz
    http-check expect status 200

{% for server in groups["k8s-controller"] %}
    server {{ server.split(".")[0] }} {{ server }}:6443 check ca-file /etc/haproxy/kube-root-ca.crt
{% endfor %}