diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index e73db9e9b9..b88de0b442 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -56,6 +56,9 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -101,6 +104,7 @@ conditions:
       - equals:
           - {get_param: PublicSSLCertificateAutogenerated}
           - true
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -131,10 +135,17 @@ outputs:
             # bind-mounting the directories rather than all the cert, key and pem files ensures
             # that docker won't create directories on the host when then pem files do not exist
             tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
-              - get_param: InternalTLSCAFile
-              - get_param: HAProxyInternalTLSKeysDirectory
-              - get_param: HAProxyInternalTLSCertsDirectory
-              - get_param: DeployedSSLCertificatePath
+              list_concat:
+              - if:
+                - public_tls_enabled
+                - - get_param: HAProxyInternalTLSKeysDirectory
+                  - get_param: HAProxyInternalTLSCertsDirectory
+                  - get_param: DeployedSSLCertificatePath
+                - null
+              - if:
+                - internal_tls_enabled
+                - get_param: InternalTLSCAFile
+                - null
             tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
             tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
             # disable the use CRL file until we can restart the container when the file expires