Microk8s api nodes behind haproxy


I’m trying to wrap my microk8s cluster api nodes behind a loadbalancer, is there a guide to reach this?

In the cluster ha guide it only refers to the possibility, and only the external etcd guide exists, not an external loadbalancer for the apis.

Tried haproxy (it works flawlessly with kubeadm) to no avail, with this error:

curl -v -XGET  -H "User-Agent: kubectl/v1.28.1 (linux/amd64) kubernetes/8dc49c4" -H "Accept: application/json;g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList,application/json" 'https://k8cp.urbaman.it:16443/api'
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying
* Connected to k8cp.urbaman.it ( port 16443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

I have same problem. Did you find a solution ?

Which balancing layer are you using?


Just using the same conf used for a kubeadm cluster, working flawlessly, and changed ports.

Don’t have che conf at hand after all this time, should be normal https.

This error is probably due to the missing tls registration of the domain, and probably it’s enough to add ip and domain in the default ips and domains for which mk8s registers tls.

I remember it was not enough and a also had many other problems getting this work.