docs: describe Central Load Balancer PBR, Keepalived, and HAProxy configuration
Document the complete Central Load Balancer (CLB) architecture including PBR routing, VRRP failover, and HAProxy traffic policies. ## PBR Routing Tables - Custom routing tables (e.g., `rt_core_vault_frontend`) registered in `/etc/iproute2/rt_tables`. - Naming convention derived from `project_code` + cluster name as computed by `00-foundation-metadata`. ## Rule and Route Injection ```bash ip rule add from 172.16.126.250 table rt_core_vault_frontend ip route replace 172.16.126.0/24 dev v_corevault_0 scope link table rt_core_vault_frontend ``` - `ip rule` binds a source VIP address to a specific routing table. - `scope link` routes force return packets to egress directly out of the originating L2 bridge interface, bypassing the default gateway. ## Keepalived VRRP Failover - Master and Backup CLB nodes coordinate via VRID (Virtual Router ID). - On master failure, the Backup node assumes the VIP and broadcasts Gratuitous ARP (GARP) to update L2 switch tables immediately. ## HAProxy Traffic Routing - L4 TCP mode for Vault (port `8200`) and Kubernetes Ingress (ports `443`/`80`). - Uses PROXY protocol v2 (`send-proxy-v2`) to preserve real client source IPs through to downstream Kubernetes controllers. - Health check endpoints: - Vault: `GET /v1/sys/health` — `200 OK` (active), `429` (standby). - Patroni/Postgres: `GET /primary` and `GET /replica` on port `8008`. ## Acceptance Criteria - [ ] Annotated diagram showing VIP → CLB → backend VM packet flow with PBR path highlighted. - [ ] Explanation of why `scope link` is necessary and what happens without it. - [ ] Table of HAProxy frontend/backend definitions and their health check endpoints.
issue