HAProxy and keepalived setup - MK-DEV-M/docs-l GitHub Wiki
Components:
| Hostname | IP |
|---|---|
| lab-haprx-01 | 10.1.7.20/24 |
| lab-haprx-02 | 10.1.7.21/24 |
| lab-haprx-03 | 10.1.7.22/24 |
Config:
Update, install components
apt-get update
apt-get install -y haproxy keepalived
systemctl enable haproxy keepalived
sed -i 's/^ENABLED=.*/ENABLED=1/' /etc/default/haproxy #disable debians default haproxy config
Keepalived config
nano /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER # state BACKUP on other nodes
interface eth0
virtual_router_id 51
priority 100 # lower on the other nodes
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass ChgMeNow
}
virtual_ipaddress {
10.1.7.10/24
}
track_process {
haproxy # leave only if haproxy is running
}
}
systemctl restart keepalived
HAProxy config
nano /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations (kept for completeness)
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Mozilla “intermediate” TLS defaults ─ harmless for plain TCP passthrough
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA>
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode tcp
timeout connect 10s
timeout client 60s
timeout server 60s
frontend k8s_api
bind 10.1.7.10:6443
default_backend k8s_masters
backend k8s_masters
balance roundrobin
option tcp-check
default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
server cp01 10.1.5.10:6443 check
server cp02 10.1.5.11:6443 check
server cp03 10.1.5.12:6443 check