5 files changed, 64 insertions, 4 deletions
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 31a5415..8e73ce3 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -27,13 +27,59 @@
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
 #
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   HAProxy. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Note that this doesn't configure the certificates in haproxy, it merely
+#   creates the certificates.
+#   Defaults to hiera('generate_service_certificate', false).
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     tripleo::profile::base::haproxy::certificates_specs:
+#       undercloud-haproxy-public-cert:
+#         service_pem: <haproxy ready pem file>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         hostname: <undercloud fqdn>
+#         postsave_cmd: <command to update certificate on resubmit>
+#         principal: "haproxy/<undercloud fqdn>"
+#   Defaults to {}.
+#
 class tripleo::profile::base::haproxy (
-  $enable_load_balancer = hiera('enable_load_balancer', true),
-  $step                 = hiera('step'),
+  $enable_load_balancer          = hiera('enable_load_balancer', true),
+  $step                          = hiera('step'),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $certmonger_ca                 = hiera('certmonger_ca', 'local'),
+  $certificates_specs            = {},
 ) {
 
   if $step >= 1 {
     if $enable_load_balancer {
+      if str2bool($generate_service_certificates) {
+        include ::certmonger
+        # This is only needed for certmonger's local CA. For any other CA this
+        # operation (trusting the CA) should be done by the deployer.
+        if $certmonger_ca == 'local' {
+          include ::tripleo::certmonger::ca::local
+        }
+
+        Certmonger_certificate {
+          ca          => $certmonger_ca,
+          ensure      => 'present',
+          wait        => true,
+          require     => Class['::certmonger'],
+        }
+        create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+      }
+
       include ::tripleo::haproxy
     }
   }
diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp
index 0fc30d8..fa0e2f1 100644
--- a/manifests/profile/base/heat.pp
+++ b/manifests/profile/base/heat.pp
@@ -42,6 +42,16 @@ class tripleo::profile::base::heat (
   $manage_db_purge = hiera('heat_enable_db_purge', true),
 ) {
 
+  # Domain resources will be created at step5 on the pacemaker_master so we
+  # configure heat.conf at step3 and 4 but actually create the domain later.
+  if hiera('step') == 3 or hiera('step') == 4 {
+    class { '::heat::keystone::domain':
+      manage_domain => false,
+      manage_user   => false,
+      manage_role   => false,
+    }
+  }
+
   if $step >= 4 {
     class { '::heat' :
       notification_driver => $notification_driver,
diff --git a/manifests/profile/pacemaker/gnocchi.pp b/manifests/profile/pacemaker/gnocchi.pp
index 98d1b36..edc1728 100644
--- a/manifests/profile/pacemaker/gnocchi.pp
+++ b/manifests/profile/pacemaker/gnocchi.pp
@@ -59,11 +59,13 @@ class tripleo::profile::pacemaker::gnocchi (
     }
   }
 
-  if $step >= 3 and $pacemaker_master {
+  if $step >= 3 {
     include ::gnocchi
     include ::gnocchi::config
     include ::gnocchi::client
-    include ::gnocchi::db::sync
+    if $pacemaker_master {
+      include ::gnocchi::db::sync
+    }
   }
 
   if $step >= 5 and $pacemaker_master {
diff --git a/manifests/profile/pacemaker/gnocchi/api.pp b/manifests/profile/pacemaker/gnocchi/api.pp
index da65731..ede4c9a 100644
--- a/manifests/profile/pacemaker/gnocchi/api.pp
+++ b/manifests/profile/pacemaker/gnocchi/api.pp
@@ -28,6 +28,7 @@ class tripleo::profile::pacemaker::gnocchi::api (
 ) {
 
   include ::tripleo::profile::pacemaker::gnocchi
+  include ::tripleo::profile::pacemaker::apache
 
   class { '::tripleo::profile::base::gnocchi::api':
     step    => $step,
diff --git a/manifests/profile/pacemaker/keystone.pp b/manifests/profile/pacemaker/keystone.pp
index e8e12a3..1cd5178 100644
--- a/manifests/profile/pacemaker/keystone.pp
+++ b/manifests/profile/pacemaker/keystone.pp
@@ -51,6 +51,7 @@ class tripleo::profile::pacemaker::keystone (
   }
 
   include ::tripleo::profile::base::keystone
+  include ::tripleo::profile::pacemaker::apache
 
   if $step >= 5 and $pacemaker_master and $enable_load_balancer {
     pacemaker::constraint::base { 'haproxy-then-keystone-constraint':