Micronetes Master Node Setup

by geekdojo

Files


No files for this article.

Configure Keepalive

We use keepalive on each of the 3 master nodes to ensure a single static IP is available at all times for the Kubernetes API. If a node fails then keepalive will move the IP to one of the remaining "up" nodes. As with before change the IPs found within to meet your needs.

Install Keepalive

> sudo apt-get install keepalived

Configure Keepalive

Note: on each master node you need to change the "unicast_src_ip" to match the IP of the node. Then change the "unicast_peer_ip" to match the other two nodes.

> sudo nano /etc/keepalived/keepalived.conf

# replace with the following:
vrrp_script haproxy-check {
    script "killall -0 haproxy"
    interval 2
    weight 20
}
 
vrrp_instance haproxy-vip {
    state BACKUP
    priority 101
    interface eth0
    virtual_router_id 47
    advert_int 3
 
    unicast_src_ip 192.168.200.252
    unicast_peer {
        192.168.200.250
        192.168.200.251
    }
 
    virtual_ipaddress {
        192.168.200.249 
    }
 
    track_script {
        haproxy-check weight 20
    }
}

Reboot

> sudo reboot now

HAProxy Setup

We use HAProxy to route traffic from the master node IP to the aforementioned keepalive IP (in this example 192.168.200.249).

Install HAProxy

> sudo apt-get install haproxy

Enable on Startup

> sudo nano /etc/default/haproxy
# Set	ENABLED=1

Configure HAProxy The SSH proxy is optional - I found that sometimes HAProxy would interfere with SSH unless I put the proxy in. Something to figure out longer term.

> sudo nano /etc/haproxy/haproxy.cfg

# Edit with the following

global
        log 127.0.0.1:514  local0
        log 127.0.0.1:514  local0 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd lis$
        stats timeout 30s
#       user haproxy
#       group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?serv$
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:EC$
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 1s
        timeout client  20s
        timeout server  20s
        timeout client-fin 20s
        timeout tunnel 1h
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen stats
  bind    *:9000
  mode    http
  stats   enable
  stats   hide-version
  stats   uri       /stats
  stats   refresh   30s
  stats   realm     Haproxy\ Statistics
  stats   auth      Admin:Password

frontend k8s-api
        bind 192.168.200.249:443
        bind 127.0.0.1:443
        mode tcp
        option tcplog
        default_backend k8s-api

frontend ssh-proxy
        bind 192.168.200.251:2222
        mode tcp
        option tcplog
        default_backend ssh-proxy-backend

backend k8s-api
        mode tcp
        server kuber04m01 192.168.200.250:6443 check
        server kuber04m02 192.168.200.251:6443 check
        server kuber04m03 192.168.200.252:6443 check

backend ssh-proxy-backend
        mode tcp
        server kuber04m02 192.168.200.251:22 check id 1

Reboot

> sudo reboot now