diff --git a/deployment_scripts/puppet/manifests/cluster-haproxy.pp b/deployment_scripts/puppet/manifests/cluster-haproxy.pp
new file mode 100644
index 0000000..81fb88d
--- /dev/null
+++ b/deployment_scripts/puppet/manifests/cluster-haproxy.pp
@@ -0,0 +1,162 @@
+$fuel_version = 0 + hiera('fuel_version')
+
+$network_scheme     = hiera_hash('network_scheme', {})
+$haproxy_hash       = hiera_hash('haproxy', {})
+
+$haproxy_maxconn              = '16000'
+$haproxy_bufsize              = '32768'
+$other_networks               = direct_networks($network_scheme['endpoints'])
+$haproxy_maxrewrite           = '1024'
+$haproxy_log_file             = '/var/log/haproxy.log'
+$haproxy_ssl_default_dh_param = '2048'
+$primary_controller           = false
+$debug                        = false
+$spread_checks                = '3'
+
+#FIXME(mattymo): Replace with only VIPs for roles assigned to this node
+include ::concat::setup
+include ::haproxy::params
+include ::rsyslog::params
+
+package { 'haproxy':
+  name => $::haproxy::params::package_name,
+}
+
+#NOTE(bogdando) we want defaults w/o chroot
+#  and this override looks the only possible if
+#  upstream manifests must be kept intact
+$global_options   = {
+  'log'                       => '/dev/log local0',
+  'pidfile'                   => '/var/run/haproxy.pid',
+  'maxconn'                   => $haproxy_maxconn,
+  'user'                      => 'haproxy',
+  'group'                     => 'haproxy',
+  'daemon'                    => '',
+  'stats'                     => 'socket /var/lib/haproxy/stats',
+  'spread-checks'             => $spread_checks,
+  'tune.bufsize'              => $haproxy_bufsize,
+  'tune.maxrewrite'           => $haproxy_maxrewrite,
+  'tune.ssl.default-dh-param' => $haproxy_ssl_default_dh_param,
+}
+
+$defaults_options = {
+  'log'     => 'global',
+  'maxconn' => '8000',
+  'mode'   => 'http',
+  'retries' => '3',
+  'option'  => [
+    'redispatch',
+    'http-server-close',
+    'splice-auto',
+    'dontlognull',
+  ],
+  'timeout' => [
+    'http-request 20s',
+    'queue 1m',
+    'connect 10s',
+    'client 1m',
+    'server 1m',
+    'check 10s',
+  ],
+}
+
+$service_name = 'p_haproxy'
+
+class { 'haproxy::base':
+  global_options    => $global_options,
+  defaults_options  => $defaults_options,
+  stats_ipaddresses => ['127.0.0.1'],
+  use_include       => true,
+}
+
+sysctl::value { 'net.ipv4.ip_nonlocal_bind':
+  value => '1'
+}
+
+service { 'haproxy' :
+  ensure     => 'running',
+  name       => $service_name,
+  enable     => true,
+  hasstatus  => true,
+  hasrestart => true,
+}
+
+tweaks::ubuntu_service_override { 'haproxy' :
+  service_name => 'haproxy',
+  package_name => $haproxy::params::package_name,
+}
+
+class { 'cluster::haproxy::rsyslog':
+  log_file => $haproxy_log_file,
+}
+
+Package['haproxy'] ->
+Class['haproxy::base']
+
+Class['haproxy::base'] ~>
+Service['haproxy']
+
+Package['haproxy'] ~>
+Service['haproxy']
+
+Sysctl::Value['net.ipv4.ip_nonlocal_bind'] ~>
+Service['haproxy']
+
+# Pacemaker
+$primitive_type  = 'ns_haproxy'
+$complex_type    = 'clone'
+$metadata        = {
+  'migration-threshold' => '3',
+  'failure-timeout'     => '120',
+}
+$parameters      = {
+  'ns'             => 'haproxy',
+  'debug'          => $debug,
+  'other_networks' => $other_networks,
+}
+$operations      = {
+  'monitor' => {
+    'interval' => '30',
+    'timeout'  => '60'
+  },
+  'start'   => {
+    'timeout' => '60'
+  },
+  'stop'    => {
+    'timeout' => '60'
+  },
+}
+
+if $fuel_version < 9.0 {
+
+  pacemaker_wrappers::service { $service_name :
+    primitive_type => $primitive_type,
+    parameters     => $parameters,
+    metadata       => $metadata,
+    operations     => $operations,
+    ms_metadata    => {
+      'interleave' => true,
+    },
+    complex_type   => $complex_type,
+    prefix         => false,
+  }
+
+  Cs_resource[$service_name] ->
+  Service[$service_name]
+} else {
+
+  pacemaker::service { $service_name :
+    primitive_type   => $primitive_type,
+    parameters       => $parameters,
+    metadata         => $metadata,
+    operations       => $operations,
+    complex_metadata => {
+      'interleave' => true,
+    },
+    complex_type     => $complex_type,
+    prefix           => false,
+  }
+
+  Pcmk_resource[$service_name] ->
+  Service[$service_name]
+}
diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml
index dde0a69..062ec37 100644
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@@ -10,7 +10,6 @@
     - logging
     - netconfig
     - hosts
-    - cluster-haproxy
   required_for: [deploy_end]
   requires: [deploy_start]
   parameters:
@@ -54,7 +53,6 @@
 - id: lma-es-cluster
   type: puppet
   groups: [primary-elasticsearch_kibana, elasticsearch_kibana]
-  required_for: [cluster-haproxy]
   requires: [lma-es-firewall]
   parameters:
     puppet_manifest: "puppet/manifests/cluster.pp"
@@ -63,6 +61,17 @@
   reexecute_on:
     - deploy_changes
 
+- id: lma-es-cluster-haproxy
+  type: puppet
+  groups: [primary-elasticsearch_kibana, elasticsearch_kibana]
+  requires: [lma-es-cluster]
+  parameters:
+    puppet_manifest: "puppet/manifests/cluster-haproxy.pp"
+    puppet_modules: puppet/modules:/etc/puppet/modules
+    timeout: 3600
+  reexecute_on:
+    - deploy_changes
+
 - id: lma-es-virtual-ip
   type: puppet
   groups: [primary-elasticsearch_kibana, elasticsearch_kibana]
@@ -91,7 +100,7 @@
 - id: lma-es-kibana-haproxy
   type: puppet
   groups: [primary-elasticsearch_kibana, elasticsearch_kibana]
-  requires: [cluster-haproxy, lma-es-virtual-ip]
+  requires: [lma-es-cluster-haproxy, lma-es-virtual-ip]
   required_for: [deploy_end]
   parameters:
     puppet_manifest: "puppet/manifests/haproxy.pp"