diff --git a/ansible/roles/loadbalancer/defaults/main.yml b/ansible/roles/loadbalancer/defaults/main.yml index b9935b3adc..5417353876 100644 --- a/ansible/roles/loadbalancer/defaults/main.yml +++ b/ansible/roles/loadbalancer/defaults/main.yml @@ -92,4 +92,7 @@ haproxy_defaults_balance: "roundrobin" # https://bugs.launchpad.net/kolla-ansible/+bug/1917068 haproxy_host_ipv4_tcp_retries2: "KOLLA_UNSET" +# HAProxy socket admin permissions enable +haproxy_socket_level_admin: "no" + kolla_externally_managed_cert: False diff --git a/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2 b/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2 index 5a100ba15d..5e4ad2c673 100644 --- a/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2 +++ b/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2 @@ -12,7 +12,8 @@ global cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }} {% endfor %} {% endif %} - stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 + stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %} + {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 diff --git a/releasenotes/notes/haproxy-add-admin-socket-2c84eabd45b1b3dc.yaml b/releasenotes/notes/haproxy-add-admin-socket-2c84eabd45b1b3dc.yaml new file mode 100644 index 0000000000..3e48c0aee3 --- /dev/null +++ b/releasenotes/notes/haproxy-add-admin-socket-2c84eabd45b1b3dc.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Implements the HAProxy Admin Socket. + Allows operators to set the flag ``haproxy_socket_level_admin`` + (default: "no") which adds ``level admin`` to socket that gets created at + ``/var/lib/kolla/haproxy/haproxy.sock`` inside the HAProxy container. + This allows operators to interact with HAProxy, including but not limited + to disabling backend servers for controlled maintenance operations. + `bug 1960215 `__.