Adopt Envoy in place of HAProxy for load balancing

pkg/cluster/internal/create/actions/loadbalancer/loadbalancer.go

@@ -22,6 +22,7 @@ import (
 
 	"sigs.k8s.io/kind/pkg/cluster/constants"
 	"sigs.k8s.io/kind/pkg/errors"
+	"sigs.k8s.io/kind/pkg/exec"
 	"sigs.k8s.io/kind/pkg/internal/apis/config"
 
 	"sigs.k8s.io/kind/pkg/cluster/internal/create/actions"
@@ -90,9 +91,9 @@ func (a *Action) Execute(ctx *actions.ActionContext) error {
 		return errors.Wrap(err, "failed to copy loadbalancer config to node")
 	}
 
-	// reload the config. haproxy will reload on SIGHUP
-	if err := loadBalancerNode.Command("kill", "-s", "HUP", "1").Run(); err != nil {
-		return errors.Wrap(err, "failed to reload loadbalancer")
+	// restart loadbalancer to apply static configuration changes
+	if err := exec.Command("docker", "restart", "kind-external-load-balancer").Run(); err != nil {
+		return errors.Wrap(err, "failed to restart loadbalancer container")
 	}
 
 	ctx.Status.End(true)

pkg/cluster/internal/loadbalancer/config.go

@@ -18,6 +18,7 @@ package loadbalancer
 
 import (
 	"bytes"
+	"net"
 	"text/template"
 
 	"sigs.k8s.io/kind/pkg/errors"
@@ -32,53 +33,103 @@ type ConfigData struct {
 
 // DefaultConfigTemplate is the loadbalancer config template
 const DefaultConfigTemplate = `# generated by kind
-global
-  log /dev/log local0
-  log /dev/log local1 notice
-  daemon
-  # limit memory usage to approximately 18 MB
-  maxconn 100000
-
-resolvers docker
-  parse-resolv-conf
-
-defaults
-  log global
-  mode tcp
-  option dontlognull
-  # TODO: tune these
-  timeout connect 5000
-  timeout client 50000
-  timeout server 50000
-  # allow to boot despite dns don't resolve backends
-  default-server init-addr none
-
-frontend control-plane
-  bind *:{{ .ControlPlanePort }}
-  {{ if .IPv6 -}}
-  bind :::{{ .ControlPlanePort }};
+static_resources:
+  listeners:
+  - name: control-plane-listener-ipv4
+    address:
+      socket_address:
+        address: "0.0.0.0"
+        port_value: {{ .ControlPlanePort }}
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: kube_apiserver
+          cluster: kube_apiservers
+  {{- if .IPv6 }}
+  - name: control-plane-listener-ipv6
+    address:
+      socket_address:
+        address: "::"
+        port_value: {{ .ControlPlanePort }}
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: kube_apiserver
+          cluster: kube_apiservers
   {{- end }}
-  default_backend kube-apiservers
+  clusters:
+  - name: kube_apiservers
+    type: STRICT_DNS
+    connect_timeout: 5s
+    lb_policy: ROUND_ROBIN
+    dns_lookup_family: AUTO
+    circuit_breakers:
+      thresholds:
+      - priority: DEFAULT
+        max_connections: 100000
+        max_pending_requests: 20000
+        max_requests: 100000
+    load_assignment:
+      cluster_name: kube_apiservers
+      endpoints:
+      - lb_endpoints:
+        {{- range $server, $address := .BackendServers }}
+	{{- $hp := hostPort $address }}
+        - endpoint:
+            address:
+              socket_address:
+                address: {{ $hp.host }}
+                port_value: {{ $hp.port }}
+        {{- end }}
 
-backend kube-apiservers
-  option httpchk GET /healthz
-  # TODO: we should be verifying (!)
-  {{range $server, $address := .BackendServers}}
-  server {{ $server }} {{ $address }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
-  {{- end}}
+    health_checks:
+    - timeout: 5s
+      interval: 10s
+      unhealthy_threshold: 3
+      healthy_threshold: 1
+      http_health_check:
+        path: /livez
+        expected_statuses:
+        - start: 200
+          end: 399
+        codec_client_type: HTTP1
+admin:
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 9901
+  access_log:
+  - name: envoy.access_loggers.file
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+      path: /dev/stdout
 `
 
+func hostPort(addr string) (map[string]string, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	return map[string]string{"host": host, "port": port}, nil
+}
+
 // Config returns a kubeadm config generated from config data, in particular
 // the kubernetes version
 func Config(data *ConfigData) (config string, err error) {
-	t, err := template.New("loadbalancer-config").Parse(DefaultConfigTemplate)
+	funcs := template.FuncMap{
+		"hostPort": hostPort,
+	}
+	t, err := template.New("envoy-config").Funcs(funcs).Parse(DefaultConfigTemplate)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to parse config template")
 	}
 	// execute the template
 	var buff bytes.Buffer
-	err = t.Execute(&buff, data)
-	if err != nil {
+	if err := t.Execute(&buff, data); err != nil {
 		return "", errors.Wrap(err, "error executing config template")
 	}
 	return buff.String(), nil

pkg/cluster/internal/loadbalancer/const.go

@@ -17,7 +17,7 @@ limitations under the License.
 package loadbalancer
 
 // Image defines the loadbalancer image:tag
-const Image = "docker.io/kindest/haproxy:v20230606-42a2262b"
+const Image = "docker.io/envoyproxy/envoy:v1.36.2"
 
 // ConfigPath defines the path to the config file in the image
-const ConfigPath = "/usr/local/etc/haproxy/haproxy.cfg"
+const ConfigPath = "/etc/envoy/envoy.yaml"