Always include certmonger_user

This makes sure we always include the certmonger_user profile, which
installs the local CA (if that's the one we're using). This is necessary
for when we deploy TLS by default in the overcloud.

It also makes the setting of the certificate specification to be
optional and to depend on the generate_service_certificate flag.

Change-Id: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c

elements/puppet-stack-config/puppet-stack-config.pp

@@ -73,11 +73,9 @@ Class['::rabbitmq'] -> Service['httpd']
 include ::tripleo::firewall
 include ::tripleo::selinux
 include ::tripleo::profile::base::kernel
+include ::tripleo::profile::base::certmonger_user
 
 if hiera('tripleo::haproxy::service_certificate', undef) {
-  if str2bool(hiera('generate_service_certificates')) {
-    include ::tripleo::profile::base::certmonger_user
-  }
   class {'::tripleo::profile::base::haproxy':
     enable_load_balancer => true,
   }

elements/puppet-stack-config/puppet-stack-config.yaml.template

@@ -17,6 +17,7 @@ sysctl_settings: {{SYSCTL_SETTINGS}}
 # SSL
 tripleo::haproxy::service_certificate: {{UNDERCLOUD_SERVICE_CERTIFICATE}}
 generate_service_certificates: {{GENERATE_SERVICE_CERTIFICATE}}
+{{#GENERATE_SERVICE_CERTIFICATE}}
 tripleo::profile::base::haproxy::certificates_specs:
   undercloud-haproxy-public:
     service_pem: {{UNDERCLOUD_SERVICE_CERTIFICATE}}
@@ -25,6 +26,7 @@ tripleo::profile::base::haproxy::certificates_specs:
     hostname: "%{hiera('controller_public_host')}"
     postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}} undercloud-haproxy-public-cert"
     principal: {{SERVICE_PRINCIPAL}}
+{{/GENERATE_SERVICE_CERTIFICATE}}
 
 # CA defaults
 certmonger_ca: {{CERTIFICATE_GENERATION_CA}}