Install and Configure the HAProxy Load Balancer

VMware provides an implementation of the open source HAProxy load balancer that you can use in your vSphere IaaS control plane environment. If you are using vSphere Distributed Switch (vDS) networking for Workload Management, you can install and configure the HAProxy load balancer.

Create a vSphere Distributed Switch for a Supervisor for Use with HAProxy Load Balancer

To configure a vSphere cluster as a Supervisor that uses the vSphere networking stack and the HAProxy load balancer, you must add the hosts to a vSphere Distributed Switch. You must create port groups on the distributed switch that you configure as Workload Networks to the Supervisor.

You can select between different topologies for the Supervisor depending on the level of isolation that you want to provide to the Kubernetes workloads that will run on the cluster.

Prerequisites

Review the system requirements for using vSphere networking for the Supervisor with the HAProxy load balancer. See Requirements for Enabling a Three-Zone Supervisor with HA Proxy Load Balancer and Requirements for Enabling a Single-Cluster Supervisor with VDS Networking and HAProxy Load Balancer vSphere IaaS Control Plane Concepts and Planning.
Determine the topology for setting up Workload Networks with HAProxy on the Supervisor. See Topologies for Deploying the HAProxy Load Balancer in vSphere IaaS Control Plane Concepts and Planning.

Procedure

In the vSphere Client, navigate to a data center.
Right click the data center and select Distributed Switch > New Distributed Switch.
Enter a name for the switch, for example Workload Distributed Switch and click Next.
Select version 7.0 for the switch and click Next.
In Port group name, enter Primary Workload Network, click Next, and click Finish.
A new distributed switch with one port group is created on the data center. You can use this port group as the Primary Workload Network for the Supervisor that you will create. The Primary Workload Network handles the traffic for Kubernetes control plane VMs.
Create distributed port groups for Workload Networks.
The number of port groups that you create depends on the topology that you want to implement for the Supervisor. For a topology with one isolated Workload Network, create one distributed port group that you will use as a network for all namespaces on the Supervisor. For a topology with isolated networks for each namespace, create the same number of port groups as the number of namespaces that you will create.
1. Navigate to the newly-created distributed switch.
2. Right-click the switch and select Distributed Port Groups > New Distributed Port Group.
3. Enter a name for the port group, for example Workload Network and click Next.
4. Leave the defaults, click Next and click Finish.
Add hosts from the vSphere clusters that you will configure as Supervisor to the distributed switch.
1. Right-click the distributed switch and select Add and Manage Hosts.
2. Select Add Hosts.
3. Click New Hosts, select the hosts from the vSphere cluster that you will configure as a Supervisor, and click Next.
4. Select a physical NIC from each host and assign it an uplink on the distributed switch.
5. Click Next through the remaining screens of the wizard and click Finish.

Results

The hosts are added to the distributed switch. You can now use the port groups that you created on the switch as Workload Networks of the Supervisor.

Deploy the HAProxy Load Balancer Control Plane VM

If you want to use the vSphere networking stack for Kubernetes workloads, install the HAProxy control plane VM to provide load balancing services to Tanzu Kubernetes clusters.

Prerequisites

Verify that your environment meets the compute and networking requirements for deploying HA Proxy. See Requirements for Enabling a Three-Zone Supervisor with HA Proxy Load Balancer and Requirements for Enabling a Single-Cluster Supervisor with VDS Networking and HAProxy Load Balancer vSphere IaaS Control Plane Concepts and Planning.
Verify that you have a Management network on a vSphere standard or distributed switch where to deploy the HAProxy load balancer. The Supervisor communicates with the HAProxy load balancer on that Management network.
Create a vSphere Distributed Switch and port groups for Workload Networks. The HAProxy load balancer communicates with Supervisor and Tanzu Kubernetes cluster nodes over the Workload Networks. See Create a vSphere Distributed Switch for a Supervisor for Use with HAProxy Load Balancer. For information on Workload Networks, see Workload Networks on the Supervisor Cluster in vSphere IaaS Control Plane Concepts and Planning.
Download the latest version of the VMware HAProxy OVA file from the VMware-HAProxy site.
Select a topology for deploying the HAProxy load balancer and Workload Networks on the Supervisor. See Topologies for Deploying the HAProxy Load Balancer in vSphere IaaS Control Plane Concepts and Planning.

It may be helpful to view a demonstration of how to use vSphere IaaS control plane with vDS networking and HAProxy. Check out the video Getting Started Using vSphere with Tanzu.

Procedure

Create a new VM from the HAProxy OVA file.

Option Description

Content Library

Option	Description
Content Library	If you imported the OVA to a Local Content Library: Go to Menu > Content Library. Select the library where you imported the OVA. Select the `vmware-haproxy-vX.X.X` template. Right-click and choose New VM from This Template.
Local file	If you downloaded the OVA file to your local host: Select the vCenter cluster where you will enable Workload Management. Right-click and select Deploy OVF Template. Select Local File and click Upload Files. Browse to and select the `vmware-haproxy-vX.X.X.ova` file.

If you imported the OVA to a Local Content Library:

Go to Menu > Content Library.
Select the library where you imported the OVA.
Select the vmware-haproxy-vX.X.X template.
Right-click and choose New VM from This Template.

Local file

If you downloaded the OVA file to your local host:

Select the vCenter cluster where you will enable Workload Management.
Right-click and select Deploy OVF Template.
Select Local File and click Upload Files.
Browse to and select the vmware-haproxy-vX.X.X.ova file.

Enter a Virtual machine name, such as haproxy.
Select the Datacenter where you are deploying HAProxy and click Next.
Select the vCenter Cluster where you will enable Workload Management and click Next.
Review and confirm the deployment details and click Next.
Accept the License agreements and click Next.

Select a deployment configuration. See HAProxy Network Topology in vSphere IaaS Control Plane Concepts and Planning. for details.

Configuration	Description
Default	Select this option to deploy the appliance with 2 NICs: a Management network and a single Workload network.
Frontend Network	Select this option to deploy the appliance with 3 NICs. The frontend subnet is used to isolate cluster nodes from the network used by developers to access the cluster control plane.

Select the storage policy to use for the VM and click Next.

Select the network interfaces to use for the load balancer and click Next.

Source Network	Destination Network
Management	Select the Management network, such as `VM Network`.
Workload	Select the vDS portgroup configured for Workload Management.
Frontend	Select the vDS portgroup configured for the Frontend subnet. If you did not select Frontend configuration, this setting is ignored during installation, so you can leave the default.

Note: The workload network must be on a different subnet than the management network. See Requirements for Enabling a Three-Zone Supervisor with HA Proxy Load Balancer and Requirements for Enabling a Single-Cluster Supervisor with VDS Networking and HAProxy Load Balancer vSphere IaaS Control Plane Concepts and Planning..

Customize the application configuration settings. See Appliance Configuration Settings.
Provide the network configuration details. See Network Configuration.
Configure load balancing. See Load Balancing Settings.
Click Next to complete the configuration of the OVA.
Review the deployment configuration details and click Finish to deploy the OVA.
Monitor the deployment of the VM using the Tasks panel.
When the VM deployment completes, power it on.

What to do next

Once the HAProxy load balancer is successfully deployed and powered on, proceed with enabling Workload Management. See Configuring and Managing a Supervisor.

Customize the HAProxy Load Balancer

Customize the HAProxy control plane VM, including configuration settings, network settings, and load balancing settings.

Appliance Configuration Settings

The table lists and describes the parameters for HAProxy appliance configuration.

Parameter	Description	Remark or Example
Root Password	Initial password for the root user (6-128 characters).	Subsequent changes of password must be performed in operating system.
Permit Root Login	Option to allow the root user to login to the VM remotely over SSH.	Root login might be needed for troubleshooting, but keep in mind the security implications of allowing it.
TLS Certificate Authority (ca.crt)	To use the self-signed CA certificate, leave this field empty. To use your own CA certificate (ca.crt), paste its contents into this field. You might need to Base64-encode the contents. https://www.base64encode.org/	If you are using the self-signed CA certificate, the public and private keys will be generated from the certificate.
Key (ca.key)	If you are using the self-signed certificate, leave this field empty. If you provided a CA certificate, paste the contents of the certificate private key in this field.

Network Configuration

The table lists and describes the parameters for HAProxy network configuration.

Parameter	Description	Remark or Example
Host Name	The host name (or FQDN) to assign to the HAProxy control plane VM	Default value: `haproxy.local`
DNS	A comma-separated list of DNS server IP addresses.	Default values: `1.1.1.1, 1.0.0.1` Example value: `10.8.8.8`
Management IP	The static IP address of the HAProxy control plane VM on the Management network.	A valid IPv4 address with the prefix length of the network, for example: `192.168.0.2/24`.
Management Gateway	The IP address of the gateway for the Management network.	For example: `192.168.0.1`
Workload IP	The static IP address of the HAProxy control plane VM on the Workload network. This IP address must be outside of the load balancer IP address range.	A valid IPv4 address with the prefix length of the network, for example: `192.168.10.2/24`.
Workload Gateway	The IP address of the gateway for the Workload network.	For example: `192.168.10.1` If you select Frontend configuration, you must enter a gateway. The deployment will not be successful if Frontend is selected and no gateway is specified.
Frontend IP	The static IP address of the HAProxy appliance on the Frontend network. This value is only used when the Frontend deployment model is selected.	A valid IPv4 address with the prefix length of the network, for example: `192.168.100.2/24`
Frontend Gateway	The IP address of the gateway for the Frontend network. This value is only used when the Frontend deployment model is selected.	For example: `192.168.100.1`

Load Balancing Settings

The table lists and describes the parameters for HAProxy load balancer configuration.

Parameter	Description	Example or Remark
Load Balancer IP Range(s)	In this field you specify a range of IPv4 addresses using CIDR format. The value must be a valid CIDR range or the installation will fail. HAProxy reserves the IP addresses for virtual IPs (VIPs). Once assigned, each VIP address is allocated and HAProxy replies to requests on that address. The CIDR range you specify here must not overlap with the IPs you assign for the Virtual Servers when you enable Workload Management in the vCenter Server using the vSphere Client. Note: The load balancer IP range must reside on a different subnet than the Management network. It's not supported to have the load balancer IP range on the same subnet as the Management network.	For example, the network CIDR `192.168.100.0/24` gives the load balancer 256 virtual IP addresses with range `192.168.100.0 - 192.168.100.255`. For example, the network CIDR `192.168.100.0/25` gives the load balancer 128 virtual IP addresses with range `192.168.100.0 - 192.168.100.127`.
Dataplane API Management Port	The port on the HAProxy VM on which the load balancer's API service listens.	A valid port. Port 22 is reserved for SSH. The default value is `5556`.
HAProxy User ID	Load balancer API user name	The username clients use to authenticate to the load balancer's API service. Note: You need this username when you enable the Supervisor.
HAProxy Password	Load balancer API password	The password clients use to authenticate to the load balancer's API service. Note: You need this password when you enable the Supervisor.