mmkhitaryan · October 30, 2025 08:55
diff --git a/gistfile1.txt b/gistfile1.txt
 kubeadm init --config /etc/kubeadm/init.yaml --upload-certs --ignore-preflight-errors=Port-6443

diff --git a/haproxy.cfg b/haproxy.cfg
 global
    log /dev/log local0
    maxconn 10000

 defaults
    log     global
    mode    tcp
    retries 3
    timeout connect 10s
    timeout client  10m # Eg kubectl logs
    timeout server  10m

 frontend kube_api_front
    bind 0.0.0.0:6443
    mode tcp
    default_backend kube_api_back

 backend kube_api_back
    mode tcp
    balance source

    # Делаем HTTP health check (внутри TLS)
    option httpchk GET /livez
    http-check expect status 200

    # Локалхост как приоритетный
    server local_api 127.0.0.1:16443 maxconn 2000 slowstart 5s check check-ssl verify none

    # Остальные в backup
 {% for host in cp_hosts %}
    server {{ host }} {{ host }}:16443 maxconn 2000 slowstart 5s init-addr none check check-ssl verify none backup
 {% endfor %}
diff --git a/init.yaml b/init.yaml
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 kubernetesVersion: v{{ k8s_version | default("1.33.5") }}
 controlPlaneEndpoint: "127.0.0.1:6443"
 networking:
  podSubnet: "{{ pod_cidr }}"
  serviceSubnet: "{{ svc_cidr }}"
 apiServer:
  certSANs:
    - "localhost"
    - "127.0.0.1"
 {% for san in cert_sans %}
    - "{{ san }}"
 {% endfor %}
 {% for host in cp_hosts %}
    - "{{ host }}"
 {% endfor %}
  extraArgs:
    - name: secure-port
      value: "16443"
    - name: authorization-mode
      value: "Node,RBAC"
    - name: enable-admission-plugins
      value: "NodeRestriction"
 controllerManager: {}
 scheduler: {}

 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 cgroupDriver: systemd
 containerRuntimeEndpoint: "{{ cri_socket }}"

 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 mode: "iptables"
	kubeadm init --config /etc/kubeadm/init.yaml --upload-certs --ignore-preflight-errors=Port-6443
	global
	log /dev/log local0
	maxconn 10000

	defaults
	log global
	mode tcp
	retries 3
	timeout connect 10s
	timeout client 10m # Eg kubectl logs
	timeout server 10m

	frontend kube_api_front
	bind 0.0.0.0:6443
	mode tcp
	default_backend kube_api_back

	backend kube_api_back
	mode tcp
	balance source

	# Делаем HTTP health check (внутри TLS)
	option httpchk GET /livez
	http-check expect status 200

	# Локалхост как приоритетный
	server local_api 127.0.0.1:16443 maxconn 2000 slowstart 5s check check-ssl verify none

	# Остальные в backup
	{% for host in cp_hosts %}
	server {{ host }} {{ host }}:16443 maxconn 2000 slowstart 5s init-addr none check check-ssl verify none backup
	{% endfor %}
	apiVersion: kubeadm.k8s.io/v1beta4
	kind: ClusterConfiguration
	kubernetesVersion: v{{ k8s_version \| default("1.33.5") }}
	controlPlaneEndpoint: "127.0.0.1:6443"
	networking:
	podSubnet: "{{ pod_cidr }}"
	serviceSubnet: "{{ svc_cidr }}"
	apiServer:
	certSANs:
	- "localhost"
	- "127.0.0.1"
	{% for san in cert_sans %}
	- "{{ san }}"
	{% endfor %}
	{% for host in cp_hosts %}
	- "{{ host }}"
	{% endfor %}
	extraArgs:
	- name: secure-port
	value: "16443"
	- name: authorization-mode
	value: "Node,RBAC"
	- name: enable-admission-plugins
	value: "NodeRestriction"
	controllerManager: {}
	scheduler: {}

	---
	apiVersion: kubelet.config.k8s.io/v1beta1
	kind: KubeletConfiguration
	cgroupDriver: systemd
	containerRuntimeEndpoint: "{{ cri_socket }}"

	---
	apiVersion: kubeproxy.config.k8s.io/v1alpha1
	kind: KubeProxyConfiguration
	mode: "iptables"