1 files changed, 10 insertions, 6 deletions

diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index bd5b9ef6..e32b44dd 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -1,4 +1,4 @@
-heat_template_version: ocata
+heat_template_version: pike
 
 description: >
   HAproxy service configured with Puppet
@@ -37,6 +37,11 @@ parameters:
   MonitoringSubscriptionHaproxy:
     default: 'overcloud-haproxy'
     type: string
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 resources:
 
@@ -71,6 +76,7 @@ outputs:
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
+            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
             tripleo::profile::base::haproxy::certificates_specs:
               map_merge:
                 - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
@@ -96,8 +102,6 @@ outputs:
           when: haproxy_enabled.rc == 0
           service: name=haproxy state=started
       metadata_settings:
-        yaql:
-          expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))'
-          data:
-            public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
-            internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
+        list_concat:
+          - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
+          - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}