2 files changed, 48 insertions, 6 deletions

diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 31a5415..8e73ce3 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -27,13 +27,59 @@
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
 #
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   HAProxy. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Note that this doesn't configure the certificates in haproxy, it merely
+#   creates the certificates.
+#   Defaults to hiera('generate_service_certificate', false).
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     tripleo::profile::base::haproxy::certificates_specs:
+#       undercloud-haproxy-public-cert:
+#         service_pem: <haproxy ready pem file>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         hostname: <undercloud fqdn>
+#         postsave_cmd: <command to update certificate on resubmit>
+#         principal: "haproxy/<undercloud fqdn>"
+#   Defaults to {}.
+#
 class tripleo::profile::base::haproxy (
-  $enable_load_balancer = hiera('enable_load_balancer', true),
-  $step                 = hiera('step'),
+  $enable_load_balancer          = hiera('enable_load_balancer', true),
+  $step                          = hiera('step'),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $certmonger_ca                 = hiera('certmonger_ca', 'local'),
+  $certificates_specs            = {},
 ) {
 
   if $step >= 1 {
     if $enable_load_balancer {
+      if str2bool($generate_service_certificates) {
+        include ::certmonger
+        # This is only needed for certmonger's local CA. For any other CA this
+        # operation (trusting the CA) should be done by the deployer.
+        if $certmonger_ca == 'local' {
+          include ::tripleo::certmonger::ca::local
+        }
+
+        Certmonger_certificate {
+          ca          => $certmonger_ca,
+          ensure      => 'present',
+          wait        => true,
+          require     => Class['::certmonger'],
+        }
+        create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+      }
+
       include ::tripleo::haproxy
     }
   }
diff --git a/manifests/profile/pacemaker/database/redis.pp b/manifests/profile/pacemaker/database/redis.pp
index 9bb96ae..27dcbe9 100644
--- a/manifests/profile/pacemaker/database/redis.pp
+++ b/manifests/profile/pacemaker/database/redis.pp
@@ -18,9 +18,6 @@
 #
 # === Parameters
 #
-# [*redis_vip*]
-#   Redis virtual IP
-#
 # [*bootstrap_node*]
 #   (Optional) The hostname of the node responsible for bootstrapping tasks
 #   Defaults to hiera('bootstrap_nodeid')
@@ -36,7 +33,6 @@
 #
 
 class tripleo::profile::pacemaker::database::redis (
-  $redis_vip,
   $bootstrap_node       = hiera('bootstrap_nodeid'),
   $enable_load_balancer = hiera('enable_load_balancer', true),
   $step                 = hiera('step'),