[haproxy] optionally set socket to allow admin commands

Allow operators to set haproxy socket to admin level.
This is done via the flag haproxy_socket_level_admin which
is set to "no" by default.

Closes-Bug: 1960215

Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ia0da89288d68f5803ace1934c013053f12343195

ansible/roles/loadbalancer/defaults/main.yml

@@ -92,4 +92,7 @@ haproxy_defaults_balance: "roundrobin"
 # https://bugs.launchpad.net/kolla-ansible/+bug/1917068
 haproxy_host_ipv4_tcp_retries2: "KOLLA_UNSET"
 
+# HAProxy socket admin permissions enable
+haproxy_socket_level_admin: "no"
+
 kolla_externally_managed_cert: False

ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2

@@ -12,7 +12,8 @@ global
     cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}
         {% endfor %}
     {% endif %}
-    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
+    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %}
+
     {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
     ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

releasenotes/notes/haproxy-add-admin-socket-2c84eabd45b1b3dc.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Implements the HAProxy Admin Socket.
+    Allows operators to set the flag ``haproxy_socket_level_admin``
+    (default: "no") which adds ``level admin`` to socket that gets created at
+    ``/var/lib/kolla/haproxy/haproxy.sock`` inside the HAProxy container.
+    This allows operators to interact with HAProxy, including but not limited
+    to disabling backend servers for controlled maintenance operations.
+    `bug 1960215 <https://bugs.launchpad.net/kolla-ansible/+bug/1960215>`__.