global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log global
    mode tcp
    option tcplog
    option dontlognull
    option dontlog-normal

frontend kube_api
{% if '_kubernetes_controlplane_nodes_' in group_names %}
    bind *:6443
{% else %}
    bind 127.0.0.1:6443
{% endif %}
    timeout client 3h
    default_backend kube_api

backend kube_api
{% if '_kubernetes_controlplane_nodes_' in group_names %}
    balance first
{% else %}
    balance roundrobin
{% endif %}
    option log-health-checks
    option httpchk GET /healthz
    http-check expect string ok
    default-server inter 5s fall 3 rise 2
    timeout connect 5s
    timeout server 3h
{% for node in groups['_kubernetes_controlplane_nodes_'] %}
    server {{ node }} {{ hostvars[node].kubernetes_overlay_node_ip | default(hostvars[node].ansible_default_ipv4.address) }}:6442 {% if node == inventory_hostname %}id 1{% endif %} check check-ssl verify none
{% endfor %}