feat: Dockerfile for keepalived for k8s control plane high availability docker image

Dockerfile

@@ -0,0 +1,15 @@
+FROM alpine:latest
+
+RUN apk add --no-cache \
+    bash       \
+    curl       \
+    ipvsadm    \
+    iproute2   \
+    keepalived \
+    && addgroup -S keepalived_script \
+    && adduser -S -s /sbin/nologin -G keepalived_script -H keepalived_script
+
+COPY keepalived.conf /etc/keepalived/keepalived.conf
+COPY init.sh /
+RUN chmod +x /init.sh
+CMD ["/init.sh"]

Makefile

@@ -0,0 +1,25 @@
+.PHONY: imageKeepalived
+
+REGISTRY_IP=docker.registry
+# linux/arm/v7
+# linux/arm/v6
+# linux/arm64
+# linux/amd64
+PLATFORM=linux/arm64
+#OCI_CLI=nerdctl
+OCI_CLI=docker
+#OCI_CLI_BUILD=$(OCI_CLI)
+OCI_CLI_BUILD=$(OCI_CLI) buildx
+
+## build
+
+shell_build_image = $(OCI_CLI_BUILD) build --platform $(PLATFORM) -t $(REGISTRY_IP):5000/$(1) .; \
+	$(OCI_CLI) push $(REGISTRY_IP):5000/$(1);
+
+imageKeepalived:
+	$(call shell_build_image,keepalived)
+
+## management
+
+status:
+	@curl -s $(REGISTRY_IP):5000/v2/_catalog | jq

init.sh

@@ -0,0 +1,143 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+config_keepalived() {
+  if ! compgen -A variable | grep -q -E 'KEEPALIVED_VIRTUAL_IPADDRESS_[0-9]{1,3}'; then
+    echo "[$(date)][KEEPALIVED] No KEEPALIVED_VIRTUAL_IPADDRESS_ varibles detected."
+    return 1
+  fi
+
+  KEEPALIVED_STATE=${KEEPALIVED_STATE:-MASTER}
+
+  if [[ "${KEEPALIVED_STATE^^}" == 'MASTER' ]]; then
+    KEEPALIVED_PRIORITY=${KEEPALIVED_PRIORITY:-200}
+  elif [[ "${KEEPALIVED_STATE^^}" == 'BACKUP' ]]; then
+    KEEPALIVED_PRIORITY=${KEEPALIVED_PRIORITY:-100}
+  fi
+
+  KEEPALIVED_INTERFACE=${KEEPALIVED_INTERFACE:-eth0}
+  KEEPALIVED_VIRTUAL_ROUTER_ID=${KEEPALIVED_VIRTUAL_ROUTER_ID:-1}
+  KEEPALIVED_ADVERT_INT=${KEEPALIVED_ADVERT_INT:-1}
+  KEEPALIVED_AUTH_PASS=${KEEPALIVED_AUTH_PASS:-"pwd$KEEPALIVED_VIRTUAL_ROUTER_ID"}
+
+  if [[ ! $KEEPALIVED_UNICAST_SRC_IP ]]; then
+    bind_target="$(ip addr show "$KEEPALIVED_INTERFACE" | \
+      grep -m 1 -E -o 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}')"
+    KEEPALIVED_UNICAST_SRC_IP="$bind_target"
+  fi
+
+  {
+    echo 'global_defs {'
+    echo 'router_id LVS_MAIN'
+    echo '}'
+  } > "$KEEPALIVED_CONF"
+
+  if [[ ${KEEPALIVED_KUBE_APISERVER_CHECK,,} == 'true' ]]; then
+    # if no address supplied, assume its the first (or only) VIP
+    if [[ ! $KUBE_APISERVER_ADDRESS ]]; then
+      kube_api_vip="$(compgen -A variable | grep -E 'KEEPALIVED_VIRTUAL_IPADDRESS_[0-9]{1,3}' | head -1)"
+      KUBE_APISERVER_ADDRESS="$(echo "${!kube_api_vip}" | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')"
+    fi
+    KUBE_APISERVER_PORT=${KUBE_APISERVER_PORT:-6443}
+    KUBE_APISERVER_CHK_INTERVAL=${KUBE_APISERVER_CHK_INTERVAL:-'3'}
+    KUBE_APISERVER_CHK_WEIGHT=${KUBE_APISERVER_CHK_WEIGHT:-'-50'}
+    KUBE_APISERVER_CHK_FALL=${KUBE_APISERVER_CHK_FALL:-'10'}
+    KUBE_APISERVER_CHK_RISE=${KUBE_APISERVER_CHK_RISE:-'2'}
+    {
+      echo 'vrrp_script chk_kube_apiserver {'
+      echo "  script \"/usr/lib/keepalived/scripts/chk_kube_apiserver.sh $KUBE_APISERVER_ADDRESS $KUBE_APISERVER_PORT\""
+      echo "  interval $KUBE_APISERVER_CHK_INTERVAL"
+      echo "  fall $KUBE_APISERVER_CHK_FALL"
+      echo "  rise $KUBE_APISERVER_CHK_RISE"
+      echo "  weight $KUBE_APISERVER_CHK_WEIGHT"
+      echo '}'
+    } >> "$KEEPALIVED_CONF"
+  fi
+
+  {
+    echo 'vrrp_instance MAIN {'
+    echo "  state $KEEPALIVED_STATE"
+    echo "  interface $KEEPALIVED_INTERFACE"
+    echo "  virtual_router_id $KEEPALIVED_VIRTUAL_ROUTER_ID"
+    echo "  priority $KEEPALIVED_PRIORITY"
+    echo "  advert_int $KEEPALIVED_ADVERT_INT"
+    echo "  unicast_src_ip $KEEPALIVED_UNICAST_SRC_IP"
+    echo '  unicast_peer {'
+  } >> "$KEEPALIVED_CONF"
+  for peer in $(compgen -A variable | grep -E "KEEPALIVED_UNICAST_PEER_[0-9]{1,3}"); do
+    echo "    ${!peer}" >> "$KEEPALIVED_CONF"
+  done
+  {
+    echo '  }'
+    echo '  authentication {'
+    echo '    auth_type PASS'
+    echo "    auth_pass $KEEPALIVED_AUTH_PASS"
+    echo '  }'
+    echo '  virtual_ipaddress {'
+  }  >> "$KEEPALIVED_CONF"
+  for vip in $(compgen -A variable | grep -E 'KEEPALIVED_VIRTUAL_IPADDRESS_[0-9]{1,3}'); do
+    echo "    ${!vip}" >> "$KEEPALIVED_CONF"
+  done
+  echo '  }' >> "$KEEPALIVED_CONF"
+
+  if compgen -A variable | grep -q -E 'KEEPALIVED_VIRTUAL_IPADDRESS_EXCLUDED_[0-9]{1,3}'; then
+    echo '  virtual_ipaddress_excluded {' >> "$KEEPALIVED_CONF"
+    for evip in $(compgen -A variable | grep -E 'KEEPALIVED_VIRTUAL_IPADDRESS_EXCLUDED_[0-9]{1,3}'); do
+      echo "    ${!evip}" >> "$KEEPALIVED_CONF"
+    done
+    echo '  }' >> "$KEEPALIVED_CONF"
+  fi
+
+  if compgen -A variable | grep -q -E 'KEEPALIVED_TRACK_INTERFACE_[0-9]{1,3}'; then
+    echo '  track_interface {' >> "$KEEPALIVED_CONF"
+    for interface in $(compgen -A variable | grep -E 'KEEPALIVED_TRACK_INTERFACE_[0-9]{1,3}'); do
+      echo "    ${!interface}" >> "$KEEPALIVED_CONF"
+    done
+    echo '  }' >> "$KEEPALIVED_CONF"
+  else
+    {
+      echo '  track_interface {'
+      echo "    $KEEPALIVED_INTERFACE"
+      echo '}'
+    } >> "$KEEPALIVED_CONF"
+ fi
+ if [[ ${KEEPALIVED_KUBE_APISERVER_CHECK,,} == 'true' ]]; then
+   {
+     echo '  track_script {'
+     echo '    chk_kube_apiserver'
+     echo '  }'
+   } >> "$KEEPALIVED_CONF"
+ fi
+
+  echo '}' >> "$KEEPALIVED_CONF"
+
+  return 0
+}
+
+init_vars() {
+  KEEPALIVED_AUTOCONF=${KEEPALIVED_AUTOCONF:-true}
+  KEEPALIVED_DEBUG=${KEEPALIVED_DEBUG:-false}
+  KEEPALIVED_KUBE_APISERVER_CHECK=${KEEPALIVED_KUBE_APISERVER_CHECK:-false}
+  KEEPALIVED_CONF=${KEEPALIVED_CONF:-/etc/keepalived/keepalived.conf}
+  KEEPALIVED_VAR_RUN=${KEEPALIVED_VAR_RUN:-/var/run/keepalived}
+  if [[ ${KEEPALIVED_DEBUG,,} == 'true' ]]; then
+    local kd_cmd="/usr/sbin/keepalived -n -l -D -f $KEEPALIVED_CONF"
+  else
+    local kd_cmd="/usr/sbin/keepalived -n -l -f $KEEPALIVED_CONF"
+  fi
+  KEEPALIVED_CMD=${KEEPALIVED_CMD:-"$kd_cmd"}
+}
+
+main() {
+  init_vars
+  if [[ ${KEEPALIVED_AUTOCONF,,} == 'true' ]]; then
+    config_keepalived
+  fi
+  rm -fr "$KEEPALIVED_VAR_RUN"
+  # shellcheck disable=SC2086
+  exec $KEEPALIVED_CMD
+}
+
+main

keepalived.conf

@@ -0,0 +1,42 @@
+global_defs {
+   enable_script_security
+}
+
+vrrp_script chk_kube {
+    script /usr/bin/curl --silent --max-time 2 --insecure https://100.105.163.74:6443/ -o /dev/null || echo "*** Error GET https://100.105.163.74:6443/" 1>&2 && exit 1
+    interval 2                                          # check every 2 seconds
+    weight 2                                            # add n points of prio if OK
+}
+
+vrrp_instance KUBE_VIP {
+    state BACKUP
+
+    # keepalived dialog interface
+    interface tailscale0
+
+    virtual_router_id 51
+    priority 50
+    # VRRP Advert interval in seconds (e.g. 0.92) (use default)
+    advert_int 1
+    preempt
+
+    authentication {
+        auth_type PASS
+        auth_pass ryuiz54*
+    }
+
+    # list of ip affected to public vrrp
+    virtual_ipaddress {
+        # be careful label should be less than 16 character
+        100.105.163.74 dev tailscale0 label tailscale0:vip
+    }
+
+    # Unicast specific option, this is the IP of the interface keepalived listens on
+    unicast_src_ip 100.105.163.73
+    # list of other peer connect to this vrrp instance (all app instance except current host)
+    unicast_peer {}
+
+    track_script {
+        chk_kube
+    }
+}