Is there a way to run the Data Plane API in read-only mode? Perhaps by limiting permissions to access the socket in some way?
context:
We manage our configurations for HAProxy and other infrastructure services using consul-template with consul. This approach automatically updates config files when there are changes to made to service metadata in consul. We use this to update backends and servers in haproxy.cfg and then we have scripts that orchestrate reloads across our ingress using consul locks. We require this orchestration because we use websockets extensively, and reloading multiple haproxies at the same time can lead to an extremely poor client experience.
Currently, we use the HAProxy Runtime API to monitor health and status. We would like to change to use the HAProxy Data Plane API so that we can get the more detailed status information that does not exist in the Runtime API. But we’ve discovered that the Data Plane API will actively revert changes that we make to haproxy.cfg, which means that it fights with consul-template. This is obviously a huge problem because we end up with thrashing configurations. So we would love some way to use the GET endpoints in the Data Plane API without allowing it to also manage the configuration.