kubernetes

HAProxy Kubernetes Config Generator

Generate a production-ready haproxy.cfg for load balancing the Kubernetes API server and Ingress controller. Supports 1–3 control plane nodes with TCP passthrough.

Generator

Inputs

Control Plane 1 IP

Private IP of the first control plane node.

Control Plane 2 IP

Leave empty for a single control plane setup.

Control Plane 3 IP

K8s API Port

Default Kubernetes API server port.

HAProxy Stats Port

Stats Page Password

Password for the HAProxy stats page (user: admin).

Output — haproxy.cfg

# Generated by K8sCalc — haproxy-kubernetes-config-generator
# Place at: /etc/haproxy/haproxy.cfg
# Reload with: systemctl reload haproxy

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 5000ms
    timeout client  50000ms
    timeout server  50000ms

#──────────────────────────────────────────────
# Kubernetes API Server (TCP passthrough)
#──────────────────────────────────────────────
frontend k8s-api
    bind *:6443
    mode tcp
    default_backend k8s-api-backend

backend k8s-api-backend
    mode tcp
    balance roundrobin
    option tcp-check
    server master-1 10.0.0.11:6443 check
    server master-2 10.0.0.12:6443 check
    server master-3 10.0.0.13:6443 check

#──────────────────────────────────────────────
# Ingress HTTP
#──────────────────────────────────────────────
frontend ingress-http
    bind *:80
    mode tcp
    default_backend ingress-http-backend

backend ingress-http-backend
    mode tcp
    balance roundrobin
    server worker-1 10.0.0.11:80 check
    server worker-2 10.0.0.12:80 check
    server worker-3 10.0.0.13:80 check

#──────────────────────────────────────────────
# Ingress HTTPS (TCP passthrough — TLS at ingress)
#──────────────────────────────────────────────
frontend ingress-https
    bind *:443
    mode tcp
    default_backend ingress-https-backend

backend ingress-https-backend
    mode tcp
    balance roundrobin
    server worker-1 10.0.0.11:443 check
    server worker-2 10.0.0.12:443 check
    server worker-3 10.0.0.13:443 check

#──────────────────────────────────────────────
# Stats page
#──────────────────────────────────────────────
frontend stats
    bind *:8404
    mode http
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:haproxy_stats
    stats hide-version

HAProxy for Kubernetes API Load Balancing

HAProxy is the de-facto standard for Kubernetes API server load balancing in self-hosted setups. It's lightweight (~50 MB RAM), battle-tested, and supports true hot reloads without dropping connections.

Architecture

Internet / kubectl
      │
      ▼
Floating IP (Keepalived VRRP)
      │
  ┌───┴───┐
HAProxy-1  HAProxy-2   ← active/passive
      │
   ┌──┼──┐
  CP1 CP2 CP3    ← control plane nodes

Frontend/Backend Pairs

Frontend	Port	Backend	Mode
k8s-api	6443	Control planes :6443	TCP passthrough
ingress-http	80	Worker nodes :80	TCP passthrough
ingress-https	443	Worker nodes :443	TCP passthrough
stats	8404	HAProxy internal	HTTP

TCP Mode vs HTTP Mode

For the K8s API and HTTPS ingress, always use mode tcp. This:

›Preserves TLS — the backend's certificate is used, not HAProxy's
›Avoids needing to install client certificates on HAProxy
›Supports WebSocket connections (used by kubectl exec/logs)

Keepalived + Hetzner Floating IP

The Floating IP must be reassigned via the Hetzner API when Keepalived triggers a failover. Use the hcloud CLI in the Keepalived notify script:

bash

# /etc/keepalived/notify.sh
hcloud floating-ip assign <floating-ip-id> <server-id>

This reassigns the Floating IP to the active HAProxy node on failover.

Frequently Asked Questions

Why use HAProxy instead of the cloud provider's load balancer?

On Hetzner Cloud, you control the HAProxy VMs directly. This gives you: no per-request cost, TCP passthrough (the TLS cert stays on the API server), Keepalived Floating IP for HA without cloud LB pricing, and full visibility into what HAProxy is doing via the stats page.

Why TCP mode instead of HTTP mode for the API server?

The Kubernetes API server uses TLS (HTTPS). In TCP mode, HAProxy passes the encrypted traffic directly to the backend without terminating TLS. This keeps the API server's certificate the authoritative one and avoids HAProxy needing a copy of the K8s TLS cert.

How does Keepalived work with HAProxy?

Run two HAProxy VMs. Keepalived uses VRRP to assign a Floating IP to the master HAProxy node. If the master fails, Keepalived moves the Floating IP to the backup within 1-2 seconds. All traffic uses the Floating IP, so the failover is transparent to clients.

How do I reload HAProxy without downtime?

Run `systemctl reload haproxy`. HAProxy's reload is graceful — existing connections are not dropped. New connections use the new config. This is why we use mode tcp: a true zero-downtime reload. Contrast with NGINX which needs --graceful-quit.

Related Calculators

K8s Cluster Cost