Adding HAProxy as load balancer to the Kubernetes cluster
As I mentioned in my Kubernetes homelab setup post, I initially setup Kemp Free load balancer as an easy quick solution.While Kemp did me good, I’ve had experience playing with HAProxy and figured it could be a good alternative to the extensive options Kemp offers. It could also be a good start if I wanted to have HAProxy as an ingress in my cluster at some point.
There’s a few things here we need in order to make this work:
1 – Make HAProxy load balance on 6443
2- Make HAProxy health check our nodes on the /healthz path
Configuring HAProxy
Since I’m using debian 10 (buster), I will install HAProxy using apt install haproxy -y
Next step is to configure HAProxy. Its configuration file lives in /etc/haproxy/haproxy.cfg. Here’s my configuration file. Adapt it to your needs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5s timeout client 50s timeout server 50s errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend k8s_frontend # my server has 2 IP addresses, but you can use *:6443 to listen on all interfaces and on that specific port bind 192.168.1.21:6443 mode tcp default_backend k8s_backend backend k8s_backend mode tcp balance roundrobin # k8s apiServer requires a host option httpchk GET /healthz HTTP/1.1\r\nHost:\ 192.168.1.21 # disable ssl verification as we have self-signed certs server k8s_master_1 192.168.1.15:6443 check check-ssl verify none server k8s_master_2 192.168.1.16:6443 check check-ssl verify none listen stats # my server has 2 IP addresses, but you can use *:<port> to listen on all interfaces and on the specific port bind 192.168.1.20:80 mode http stats enable stats uri / # if you want to hide haproxy version, uncomment this #stats hide-version # if you want to protect this page using basic auth, uncomment the next 2 lines and configure the auth line with your username/password #stats realm Haproxy\ Statistics #stats auth username:password |
Once configured and running, the dashboard should mark all the master nodes up, green and running
