kubernetes
HAProxy Kubernetes Config Generator
Generate a production-ready haproxy.cfg for load balancing the Kubernetes API server and Ingress controller. Supports 1–3 control plane nodes with TCP passthrough.
HAProxy for Kubernetes API Load Balancing
HAProxy is the de-facto standard for Kubernetes API server load balancing in self-hosted setups. It's lightweight (~50 MB RAM), battle-tested, and supports true hot reloads without dropping connections.
Architecture
Internet / kubectl
│
▼
Floating IP (Keepalived VRRP)
│
┌───┴───┐
HAProxy-1 HAProxy-2 ← active/passive
│
┌──┼──┐
CP1 CP2 CP3 ← control plane nodesFrontend/Backend Pairs
| Frontend | Port | Backend | Mode |
|---|---|---|---|
| k8s-api | 6443 | Control planes :6443 | TCP passthrough |
| ingress-http | 80 | Worker nodes :80 | TCP passthrough |
| ingress-https | 443 | Worker nodes :443 | TCP passthrough |
| stats | 8404 | HAProxy internal | HTTP |
TCP Mode vs HTTP Mode
For the K8s API and HTTPS ingress, always use mode tcp. This:
- ›Preserves TLS — the backend's certificate is used, not HAProxy's
- ›Avoids needing to install client certificates on HAProxy
- ›Supports WebSocket connections (used by kubectl exec/logs)
Keepalived + Hetzner Floating IP
The Floating IP must be reassigned via the Hetzner API when Keepalived triggers a failover. Use the hcloud CLI in the Keepalived notify script:
# /etc/keepalived/notify.sh
hcloud floating-ip assign <floating-ip-id> <server-id>This reassigns the Floating IP to the active HAProxy node on failover.
Key Terms
Full glossary →kubeadm
A tool for bootstrapping Kubernetes clusters. It automates the setup of control plane components and joining worker nodes, following Kubernetes best practices.
etcd
A distributed key-value store used by Kubernetes to store all cluster state and configuration. etcd is the single source of truth for the entire cluster.
cert-manager
A Kubernetes controller for automating TLS certificate management. cert-manager can issue certificates from Let's Encrypt, Vault, or internal CAs, and automatically renews them.
Helm
A package manager for Kubernetes. Helm charts bundle Kubernetes manifests into reusable packages with configurable values, versioned and published to chart repositories.
Frequently Asked Questions
Why use HAProxy instead of the cloud provider's load balancer?
On Hetzner Cloud, you control the HAProxy VMs directly. This gives you: no per-request cost, TCP passthrough (the TLS cert stays on the API server), Keepalived Floating IP for HA without cloud LB pricing, and full visibility into what HAProxy is doing via the stats page.
Why TCP mode instead of HTTP mode for the API server?
The Kubernetes API server uses TLS (HTTPS). In TCP mode, HAProxy passes the encrypted traffic directly to the backend without terminating TLS. This keeps the API server's certificate the authoritative one and avoids HAProxy needing a copy of the K8s TLS cert.
How does Keepalived work with HAProxy?
Run two HAProxy VMs. Keepalived uses VRRP to assign a Floating IP to the master HAProxy node. If the master fails, Keepalived moves the Floating IP to the backup within 1-2 seconds. All traffic uses the Floating IP, so the failover is transparent to clients.
How do I reload HAProxy without downtime?
Run `systemctl reload haproxy`. HAProxy's reload is graceful — existing connections are not dropped. New connections use the new config. This is why we use mode tcp: a true zero-downtime reload. Contrast with NGINX which needs --graceful-quit.
Related Calculators
Related Generators
Related Guides
kubernetes
CI/CD for Kubernetes with GitHub Actions: A Complete Guide (2026)
A practical walkthrough of building a full GitHub Actions pipeline that builds a container image, pushes it to a registry, and deploys to Kubernetes — with secrets handling, rollback, and Helm support.
kubernetes
ArgoCD vs Flux: Choosing a GitOps Tool for Kubernetes in 2026
A no-fluff comparison of ArgoCD and Flux for GitOps on Kubernetes — covering architecture, UI, Helm support, multi-tenancy, and when to pick each one.
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2026: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.