VMware provides an implementation of the open source HAProxy load balancer that you can use in your vSphere with Tanzu environment. If you are using vSphere Distributed Switch (vDS) networking for Workload Management, you can install and configure the HAProxy load balancer.

Create a vSphere Distributed Switch for a Supervisor for Use with HAProxy Load Balancer

To configure a vSphere cluster as a Supervisor that uses the vSphere networking stack and the HAProxy load balancer, you must add the hosts to a vSphere Distributed Switch. You must create port groups on the distributed switch that you configure as Workload Networks to the Supervisor.

You can select between different topologies for the Supervisor depending on the level of isolation that you want to provide to the Kubernetes workloads that will run on the cluster.

Prerequisites

Procedure

  1. In the vSphere Client, navigate to a data center.
  2. Right click the data center and select Distributed Switch > New Distributed Switch.
  3. Enter a name for the switch, for example Workload Distributed Switch and click Next.
  4. Select version 7.0 for the switch and click Next.
  5. In Port group name, enter Primary Workload Network, click Next, and click Finish.
    A new distributed switch with one port group is created on the data center. You can use this port group as the Primary Workload Network for the Supervisor that you will create. The Primary Workload Network handles the traffic for Kubernetes control plane VMs.
  6. Create distributed port groups for Workload Networks.
    The number of port groups that you create depends on the topology that you want to implement for the Supervisor. For a topology with one isolated Workload Network, create one distributed port group that you will use as a network for all namespaces on the Supervisor. For a topology with isolated networks for each namespace, create the same number of port groups as the number of namespaces that you will create.
    1. Navigate to the newly-created distributed switch.
    2. Right-click the switch and select Distributed Port Groups > New Distributed Port Group.
    3. Enter a name for the port group, for example Workload Network and click Next.
    4. Leave the defaults, click Next and click Finish.
  7. Add hosts from the vSphere clusters that you will configure as Supervisor to the distributed switch.
    1. Right-click the distributed switch and select Add and Manage Hosts.
    2. Select Add Hosts.
    3. Click New Hosts, select the hosts from the vSphere cluster that you will configure as a Supervisor, and click Next.
    4. Select a physical NIC from each host and assign it an uplink on the distributed switch.
    5. Click Next through the remaining screens of the wizard and click Finish.

Results

The hosts are added to the distributed switch. You can now use the port groups that you created on the switch as Workload Networks of the Supervisor.

Deploy the HAProxy Load Balancer Control Plane VM

If you want to use the vSphere networking stack for Kubernetes workloads, install the HAProxy control plane VM to provide load balancing services to Tanzu Kubernetes clusters.

Prerequisites

It may be helpful to view a demonstration of how to use vSphere with Tanzu with vDS networking and HAProxy. Check out the video Getting Started Using vSphere with Tanzu.

Procedure

  1. Log in to the vCenter Server using the vSphere Client.
  2. Create a new VM from the HAProxy OVA file.
    Option Description
    Content Library If you imported the OVA to a Local Content Library:
    • Go to Menu > Content Library.
    • Select the library where you imported the OVA.
    • Select the vmware-haproxy-vX.X.X template.
    • Right-click and choose New VM from This Template.
    Local file

    If you downloaded the OVA file to your local host:

    • Select the vCenter cluster where you will enable Workload Management.
    • Right-click and select Deploy OVF Template.
    • Select Local File and click Upload Files.
    • Browse to and select the vmware-haproxy-vX.X.X.ova file.
  3. Enter a Virtual machine name, such as haproxy.
  4. Select the Datacenter where you are deploying HAProxy and click Next.
  5. Select the vCenter Cluster where you will enable Workload Management and click Next.
  6. Review and confirm the deployment details and click Next.
  7. Accept the License agreements and click Next.
  8. Select a deployment configuration. See HAProxy Network Topology in vSphere with Tanzu Concepts and Planning. for details.
    Configuration Description
    Default Select this option to deploy the appliance with 2 NICs: a Management network and a single Workload network.
    Frontend Network Select this option to deploy the appliance with 3 NICs. The frontend subnet is used to isolate cluster nodes from the network used by developers to access the cluster control plane.
  9. Select the storage policy to use for the VM and click Next.
  10. Select the network interfaces to use for the load balancer and click Next.
    Source Network Destination Network
    Management Select the Management network, such as VM Network.
    Workload Select the vDS portgroup configured for Workload Management.
    Frontend Select the vDS portgroup configured for the Frontend subnet. If you did not select Frontend configuration, this setting is ignored during installation, so you can leave the default.
    Note: The workload network must be on a different subnet than the management network. See Requirements for Enabling a Three-Zone Supervisor with HA Proxy Load Balancer and Requirements for Enabling a Single-Cluster Supervisor with VDS Networking and HAProxy Load Balancer vSphere with Tanzu Concepts and Planning..
  11. Customize the application configuration settings. See Appliance Configuration Settings.
  12. Provide the network configuration details. See Network Configuration.
  13. Configure load balancing. See Load Balancing Settings.
  14. Click Next to complete the configuration of the OVA.
  15. Review the deployment configuration details and click Finish to deploy the OVA.
  16. Monitor the deployment of the VM using the Tasks panel.
  17. When the VM deployment completes, power it on.

What to do next

Once the HAProxy load balancer is successfully deployed and powered on, proceed with enabling Workload Management. See Configuring and Managing a Supervisor.

Customize the HAProxy Load Balancer

Customize the HAProxy control plane VM, including configuration settings, network settings, and load balancing settings.

Appliance Configuration Settings

The table lists and describes the parameters for HAProxy appliance configuration.
Parameter Description Remark or Example
Root Password Initial password for the root user (6-128 characters). Subsequent changes of password must be performed in operating system.
Permit Root Login

Option to allow the root user to login to the VM remotely over SSH.

Root login might be needed for troubleshooting, but keep in mind the security implications of allowing it.
TLS Certificate Authority (ca.crt)

To use the self-signed CA certificate, leave this field empty.

To use your own CA certificate (ca.crt), paste its contents into this field.

You might need to Base64-encode the contents. https://www.base64encode.org/

If you are using the self-signed CA certificate, the public and private keys will be generated from the certificate.

Key (ca.key)

If you are using the self-signed certificate, leave this field empty.

If you provided a CA certificate, paste the contents of the certificate private key in this field.

Network Configuration

The table lists and describes the parameters for HAProxy network configuration.
Parameter Description Remark or Example
Host Name The host name (or FQDN) to assign to the HAProxy control plane VM Default value: haproxy.local
DNS A comma-separated list of DNS server IP addresses.

Default values: 1.1.1.1, 1.0.0.1

Example value: 10.8.8.8

Management IP

The static IP address of the HAProxy control plane VM on the Management network.

A valid IPv4 address with the prefix length of the network, for example: 192.168.0.2/24.

Management Gateway

The IP address of the gateway for the Management network.

For example: 192.168.0.1

Workload IP

The static IP address of the HAProxy control plane VM on the Workload network.

This IP address must be outside of the load balancer IP address range.

A valid IPv4 address with the prefix length of the network, for example: 192.168.10.2/24.

Workload Gateway

The IP address of the gateway for the Workload network.

For example: 192.168.10.1

If you select Frontend configuration, you must enter a gateway. The deployment will not be successful if Frontend is selected and no gateway is specified.

Frontend IP

The static IP address of the HAProxy appliance on the Frontend network.

This value is only used when the Frontend deployment model is selected.

A valid IPv4 address with the prefix length of the network, for example: 192.168.100.2/24

Frontend Gateway

The IP address of the gateway for the Frontend network.

This value is only used when the Frontend deployment model is selected.

For example: 192.168.100.1

Load Balancing Settings

The table lists and describes the parameters for HAProxy load balancer configuration.
Parameter Description Example or Remark
Load Balancer IP Range(s)

In this field you specify a range of IPv4 addresses using CIDR format. The value must be a valid CIDR range or the installation will fail.

HAProxy reserves the IP addresses for virtual IPs (VIPs). Once assigned, each VIP address is allocated and HAProxy replies to requests on that address.

The CIDR range you specify here must not overlap with the IPs you assign for the Virtual Servers when you enable Workload Management in the vCenter Server using the vSphere Client.
Note: The load balancer IP range must reside on a different subnet than the Management network. It's not supported to have the load balancer IP range on the same subnet as the Management network.

For example, the network CIDR 192.168.100.0/24 gives the load balancer 256 virtual IP addresses with range 192.168.100.0 - 192.168.100.255.

For example, the network CIDR 192.168.100.0/25 gives the load balancer 128 virtual IP addresses with range 192.168.100.0 - 192.168.100.127.

Dataplane API Management Port

The port on the HAProxy VM on which the load balancer's API service listens.

A valid port. Port 22 is reserved for SSH. The default value is 5556.

HAProxy User ID

Load balancer API user name

The username clients use to authenticate to the load balancer's API service.

Note: You need this username when you enable the Supervisor.
HAProxy Password

Load balancer API password

The password clients use to authenticate to the load balancer's API service.

Note: You need this password when you enable the Supervisor.