Implement haproxy_pki_create_certificates variable

In cases when internal and external haproxy frontends should use
different, pre-generated certificates, it's not possible to define them
with haproxy_user_ssl_cert because it accepts only one certificate.
In this case, certificates can be placed manually in pki/ directory.
Unfortunately, with current logic, certificates creation with PKI role
is disabled only when haproxy_user_ssl_cert is defined.
Possibility of explicitly disabling certificates generation will be
really useful.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/915320/
Change-Id: I4eed4d797160b885d5b7187e6106e6ee0073722f

defaults/main.yml

@@ -206,6 +206,9 @@ haproxy_pki_intermediate_cert_path: >-
 haproxy_pki_regen_cert: ''
 haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"
 
+# SSL certificate creation
+haproxy_pki_create_certificates: "{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"
+
 # Installation details for SSL certificates
 haproxy_pki_install_certificates: "{{ _haproxy_pki_install_certificates }}"
 

releasenotes/notes/haproxy_pki_create_certificates-28dd48424855f463.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    ``haproxy_pki_create_certificates`` was implemented. It allows users to
+    explicitly disable certificates generation with PKI role but keep using
+    it for certificates distribution.

tasks/main.yml

@@ -54,7 +54,7 @@
     pki_authorities: "{{ haproxy_pki_authorities }}"
     pki_install_ca: "{{ haproxy_pki_install_ca }}"
     pki_regen_ca: "{{ haproxy_pki_regen_ca }}"
-    pki_create_certificates: "{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"
+    pki_create_certificates: "{{ haproxy_pki_create_certificates }}"
     pki_regen_cert: "{{ haproxy_pki_regen_cert }}"
     pki_certificates: "{{ haproxy_pki_certificates }}"
     pki_install_certificates: "{{ haproxy_pki_install_certificates }}"