4 files changed, 75 insertions, 1 deletions
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 2fdecb4f..e85185d6 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -1,3 +1,7 @@
+# ********************************************************************************
+# DEPRECATED: Use tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
+# instead.
+# ********************************************************************************
 # A Heat environment file which can be used to enable a
 # a TLS for in the internal network via certmonger
 parameter_defaults:
diff --git a/environments/ssl/enable-internal-tls.yaml b/environments/ssl/enable-internal-tls.yaml
new file mode 100644
index 00000000..287ed19f
--- /dev/null
+++ b/environments/ssl/enable-internal-tls.yaml
@@ -0,0 +1,36 @@
+# *******************************************************************
+# This file was created automatically by the sample environment
+# generator. Developers should use `tox -e genconfig` to update it.
+# Users are recommended to make changes to a copy of the file instead
+# of the original, if any customizations are needed.
+# *******************************************************************
+# title: Enable SSL on OpenStack Internal Endpoints
+# description: |
+#   A Heat environment file which can be used to enable TLS for the internal
+#   network via certmonger
+parameter_defaults:
+  # ******************************************************
+  # Static parameters - these are values that must be
+  # included in the environment but should not be changed.
+  # ******************************************************
+  # 
+  # Type: boolean
+  EnableInternalTLS: True
+
+  # Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host.
+  # Type: string
+  RabbitClientUseSSL: True
+
+  # Extra properties or metadata passed to Nova for the created nodes in the overcloud. It's accessible via the Nova metadata API.
+  # Type: json
+  ServerMetadata:
+    ipa_enroll: True
+
+  # *********************
+  # End static parameters
+  # *********************
+resource_registry:
+  OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml
+  OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+  OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
+  OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
index 4e59d53b..43a1afc1 100644
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@@ -22,6 +22,40 @@ environments:
             The contents of the private key go here
     resource_registry:
       OS::TripleO::NodeTLSData: ../../puppet/extraconfig/tls/tls-cert-inject.yaml
+  -
+    name: ssl/enable-internal-tls
+    title: Enable SSL on OpenStack Internal Endpoints
+    description: |
+      A Heat environment file which can be used to enable TLS for the internal
+      network via certmonger
+    files:
+      puppet/all-nodes-config.yaml:
+        parameters:
+          - EnableInternalTLS
+      puppet/services/nova-base.yaml:
+        parameters:
+          - RabbitClientUseSSL
+      overcloud.yaml:
+        parameters:
+          - ServerMetadata
+    static:
+      - EnableInternalTLS
+      - RabbitClientUseSSL
+      - ServerMetadata
+    sample_values:
+      EnableInternalTLS: True
+      RabbitClientUseSSL: True
+      ServerMetadata: |-2
+
+            ipa_enroll: True
+    resource_registry:
+      OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+      OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
+      # We use apache as a TLS proxy
+      OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
+      # Creates nova metadata that will create the extra service principals per
+      # node.
+      OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml
   - name: ssl/inject-trust-anchor
     title: Inject SSL Trust Anchor on Overcloud Nodes
     description: |
diff --git a/tripleo_heat_templates/environment_generator.py b/tripleo_heat_templates/environment_generator.py
index f1469390..e13690dd 100755
--- a/tripleo_heat_templates/environment_generator.py
+++ b/tripleo_heat_templates/environment_generator.py
@@ -159,7 +159,7 @@ def _generate_environment(input_env, parent_env=None):
         for line in env_desc.splitlines():
             env_file.write(u'#   %s\n' % line)
 
-        if parameter_defaults:
+        if parameter_defaults or static_defaults:
             env_file.write(u'parameter_defaults:\n')
         for name, value in sorted(parameter_defaults.items()):
             write_sample_entry(env_file, name, value)