From 1d83177575f39ac706eaf0881193c6ecbf03ff1d Mon Sep 17 00:00:00 2001
From: Marc Gariepy <gariepy.marc@gmail.com>
Date: Thu, 13 Jul 2023 15:10:46 -0400
Subject: [PATCH] Add possibility to override haproxy_ssl_path

It's now possible to set ssl cert path in case you want to bind to
specific hostname via ``haproxy_bind`` and want to share a common
certificate. set ``haproxy_ssl_path`` to override per service.

Change-Id: Ib517f52c0edbc4ac8d0df2a2ae078c9138141aae
---
 releasenotes/notes/haproxy_ssl_path-7130354314aee961.yaml | 4 ++++
 templates/service.j2                                      | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/haproxy_ssl_path-7130354314aee961.yaml

diff --git a/releasenotes/notes/haproxy_ssl_path-7130354314aee961.yaml b/releasenotes/notes/haproxy_ssl_path-7130354314aee961.yaml
new file mode 100644
index 0000000..33292c4
--- /dev/null
+++ b/releasenotes/notes/haproxy_ssl_path-7130354314aee961.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  -  HAProxy services can now override the path of the certificate with
+     ``haproxy_ssl_path`` if set under the service definition.
diff --git a/templates/service.j2 b/templates/service.j2
index aa43f00..dd3fc3c 100644
--- a/templates/service.j2
+++ b/templates/service.j2
@@ -51,8 +51,9 @@ bind {{ vip_address }}:{{ service.haproxy_redirect_http_port }}{{ (vip_interface
 {% if service.haproxy_accept_both_protocols | default(false) %}
 {% include 'service-redirect.j2' %}
 {% else %}
+{% set haproxy_ssl_path=haproxy_ssl_cert_path + "/haproxy_" + (haproxy_host | default(ansible_facts['hostname'])) + "-" + ((vip_interface is truthy) | ternary(vip_address ~ '-' ~ vip_interface, vip_address)) + ".pem" %}
 frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
-    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} {% if (service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ haproxy_host | default(ansible_facts['hostname']) }}-{{ (vip_interface is truthy) | ternary(vip_address ~ '-' ~ vip_interface, vip_address) }}.pem {% endif %}
+    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} {% if (service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ service.haproxy_ssl_path | default(haproxy_ssl_path) }} {% endif %}
 
 {% if request_option == "http" %}
     option httplog