The chapter 'Bootstrapping the Kubernetes Control Plane' is updated.

2019-02-16 19:10:36 +09:00 · 2019-02-16 19:10:36 +09:00 · f5c9aa79d3
parent 32a6d0982d
commit f5c9aa79d3
1 changed files with 87 additions and 42 deletions
--- a/docs/08-bootstrapping-kubernetes-controllers.md
+++ b/docs/08-bootstrapping-kubernetes-controllers.md
@ -277,59 +277,104 @@ EOF

 ## The Kubernetes Frontend Load Balancer

-In this section you will provision an external load balancer to front the Kubernetes API Servers. The `kubernetes-the-hard-way` static IP address will be attached to the resulting load balancer.
-
-> The compute instances created in this tutorial will not have permission to complete this section. Run the following commands from the same machine used to create the compute instances.
+In this section you will setup a load balancer to front the Kubernetes API Servers.


-### Provision a Network Load Balancer
+### Setting up a Load Balancer

-Create the external load balancer network resources:
+Login to the load balancer:

 ```
-{
-  KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
-    --region $(gcloud config get-value compute/region) \
-    --format 'value(address)')
-
-  gcloud compute http-health-checks create kubernetes \
-    --description "Kubernetes Health Check" \
-    --host "kubernetes.default.svc.cluster.local" \
-    --request-path "/healthz"
-
-  gcloud compute firewall-rules create kubernetes-the-hard-way-allow-health-check \
-    --network kubernetes-the-hard-way \
-    --source-ranges 209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 \
-    --allow tcp
-
-  gcloud compute target-pools create kubernetes-target-pool \
-    --http-health-check kubernetes
-
-  gcloud compute target-pools add-instances kubernetes-target-pool \
-   --instances controller-0,controller-1,controller-2
-
-  gcloud compute forwarding-rules create kubernetes-forwarding-rule \
-    --address ${KUBERNETES_PUBLIC_ADDRESS} \
-    --ports 6443 \
-    --region $(gcloud config get-value compute/region) \
-    --target-pool kubernetes-target-pool
-}
+$ ssh -i ~/.ssh/id_rsa-k8s.pub 10.240.0.10
 ```

+
+Install the required packages:
+
+```
+$ sudo apt-get install -y haproxy
+```
+
+
+Edit `haproxy.cfg`:
+
+```
+$ sudo vi /etc/haproxy/haproxy.cfg
+$ cat /etc/haproxy/haproxy.cfg
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Default ciphers to use on SSL-enabled listening sockets.
+    # For more information, see ciphers(1SSL). This list is from:
+    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+    ssl-default-bind-options no-sslv3
+
+defaults
+    log    global
+    mode    http
+    option    httplog
+    option    dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend haproxynode
+    bind *:6443
+    mode tcp
+    default_backend backendnodes
+
+backend backendnodes
+    mode tcp
+    balance roundrobin
+    option tcp-check
+    option log-health-checks
+    server node1 10.240.0.11:6443 check
+    server node2 10.240.0.12:6443 check
+    server node3 10.240.0.13:6443 check
+
+listen stats
+    bind :32700
+    stats enable
+    stats uri /
+    stats hide-version
+    stats auth someuser:password
+$
+```
+
+
+Enable and start `haproxy` service:
+
+```
+$ sudo systemctl enable haproxy
+$ sudo systemctl start haproxy
+```
+
+
 ### Verification

-Retrieve the `kubernetes-the-hard-way` static IP address:
+Login to one of the controller nodes, and make a HTTP request for the Kubernetes version info:

 ```
-KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
-  --region $(gcloud config get-value compute/region) \
-  --format 'value(address)')
-```
-
-Make a HTTP request for the Kubernetes version info:
-
-```
-curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version
+$ curl --cacert /var/lib/kubernetes/ca.pem https://10.240.0.10:6443/version
 ```

 > output