1 files changed, 22 insertions, 2 deletions

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a449a49..208f328 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,6 +146,10 @@
 #  the servers it balances
 #  Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 #
+# [*crl_file*]
+#  Path to the CRL file to be used for checking revoked certificates.
+#  Defaults to undef
+#
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -324,6 +328,11 @@
 #  (optional) Enable or not OVN northd binding
 #  Defaults to hiera('ovn_dbs_enabled', false)
 #
+# [*ovn_dbs_manage_lb*]
+#  (optional) Whether or not haproxy should configure OVN dbs for load balancing
+#  if ovn_dbs is enabled.
+#  Defaults to false
+#
 # [*zaqar_ws*]
 #  (optional) Enable or not Zaqar Websockets binding
 #  Defaults to false
@@ -560,6 +569,7 @@ class tripleo::haproxy (
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+  $crl_file                    = undef,
   $haproxy_stats_certificate   = undef,
   $keystone_admin              = hiera('keystone_enabled', false),
   $keystone_public             = hiera('keystone_enabled', false),
@@ -603,6 +613,7 @@ class tripleo::haproxy (
   $ceph_rgw                    = hiera('ceph_rgw_enabled', false),
   $opendaylight                = hiera('opendaylight_api_enabled', false),
   $ovn_dbs                     = hiera('ovn_dbs_enabled', false),
+  $ovn_dbs_manage_lb           = false,
   $zaqar_ws                    = hiera('zaqar_api_enabled', false),
   $ui                          = hiera('enable_ui', false),
   $aodh_network                = hiera('aodh_api_network', undef),
@@ -722,7 +733,13 @@ class tripleo::haproxy (
   $ports = merge($default_service_ports, $service_ports)
 
   if $enable_internal_tls {
-    $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+    if $crl_file {
+      $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+    } else {
+      $internal_tls_member_options = $base_internal_tls_member_options
+    }
     Haproxy::Balancermember {
       verifyhost => true
     }
@@ -1489,9 +1506,12 @@ class tripleo::haproxy (
   }
 
 
-  if $ovn_dbs {
+  if $ovn_dbs and $ovn_dbs_manage_lb {
     # FIXME: is this config enough to ensure we only hit the first node in
     # ovn_northd_node_ips ?
+    # We only configure ovn_dbs_vip in haproxy if HA for OVN DB servers is
+    # disabled.
+    # If HA is enabled, pacemaker configures the OVN DB servers accordingly.
     $ovn_db_listen_options = {
       'option'         => [ 'tcpka' ],
       'timeout client' => '90m',