docs: describe Central Load Balancer PBR, Keepalived, and HAProxy configuration
Document the complete Central Load Balancer (CLB) architecture including PBR routing, VRRP failover, and HAProxy traffic policies.
## PBR Routing Tables
- Custom routing tables (e.g., `rt_core_vault_frontend`) registered in `/etc/iproute2/rt_tables`.
- Naming convention derived from `project_code` + cluster name as computed by `00-foundation-metadata`.
## Rule and Route Injection
```bash
ip rule add from 172.16.126.250 table rt_core_vault_frontend
ip route replace 172.16.126.0/24 dev v_corevault_0 scope link table rt_core_vault_frontend
```
- `ip rule` binds a source VIP address to a specific routing table.
- `scope link` routes force return packets to egress directly out of the originating L2 bridge interface, bypassing the default gateway.
## Keepalived VRRP Failover
- Master and Backup CLB nodes coordinate via VRID (Virtual Router ID).
- On master failure, the Backup node assumes the VIP and broadcasts Gratuitous ARP (GARP) to update L2 switch tables immediately.
## HAProxy Traffic Routing
- L4 TCP mode for Vault (port `8200`) and Kubernetes Ingress (ports `443`/`80`).
- Uses PROXY protocol v2 (`send-proxy-v2`) to preserve real client source IPs through to downstream Kubernetes controllers.
- Health check endpoints:
- Vault: `GET /v1/sys/health` — `200 OK` (active), `429` (standby).
- Patroni/Postgres: `GET /primary` and `GET /replica` on port `8008`.
## Acceptance Criteria
- [ ] Annotated diagram showing VIP → CLB → backend VM packet flow with PBR path highlighted.
- [ ] Explanation of why `scope link` is necessary and what happens without it.
- [ ] Table of HAProxy frontend/backend definitions and their health check endpoints.
issue