From ed8eeba8d3bd3b97d0b2457f4fcd46392062bb03 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Tue, 9 Apr 2024 00:11:15 +0200
Subject: [PATCH] Implement haproxy_pki_create_certificates variable

In cases when internal and external haproxy frontends should use
different, pre-generated certificates, it's not possible to define them
with haproxy_user_ssl_cert because it accepts only one certificate.
In this case, certificates can be placed manually in pki/ directory.
Unfortunately, with current logic, certificates creation with PKI role
is disabled only when haproxy_user_ssl_cert is defined.
Possibility of explicitly disabling certificates generation will be
really useful.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/915320/
Change-Id: I4eed4d797160b885d5b7187e6106e6ee0073722f
---
 defaults/main.yml                                           | 3 +++
 .../haproxy_pki_create_certificates-28dd48424855f463.yaml   | 6 ++++++
 tasks/main.yml                                              | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/haproxy_pki_create_certificates-28dd48424855f463.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 25a4826..257673e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -206,6 +206,9 @@ haproxy_pki_intermediate_cert_path: >-
 haproxy_pki_regen_cert: ''
 haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"
 
+# SSL certificate creation
+haproxy_pki_create_certificates: "{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"
+
 # Installation details for SSL certificates
 haproxy_pki_install_certificates: "{{ _haproxy_pki_install_certificates }}"
 
diff --git a/releasenotes/notes/haproxy_pki_create_certificates-28dd48424855f463.yaml b/releasenotes/notes/haproxy_pki_create_certificates-28dd48424855f463.yaml
new file mode 100644
index 0000000..ec20d75
--- /dev/null
+++ b/releasenotes/notes/haproxy_pki_create_certificates-28dd48424855f463.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    ``haproxy_pki_create_certificates`` was implemented. It allows users to
+    explicitly disable certificates generation with PKI role but keep using
+    it for certificates distribution.
diff --git a/tasks/main.yml b/tasks/main.yml
index 3c78dc1..6dfbbe6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -54,7 +54,7 @@
     pki_authorities: "{{ haproxy_pki_authorities }}"
     pki_install_ca: "{{ haproxy_pki_install_ca }}"
     pki_regen_ca: "{{ haproxy_pki_regen_ca }}"
-    pki_create_certificates: "{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"
+    pki_create_certificates: "{{ haproxy_pki_create_certificates }}"
     pki_regen_cert: "{{ haproxy_pki_regen_cert }}"
     pki_certificates: "{{ haproxy_pki_certificates }}"
     pki_install_certificates: "{{ haproxy_pki_install_certificates }}"