Filter haproxy_certificate_specs if hostname is empty

The HAProxy tripleo service currently attempts to generate certificate
specs for all enabled networks which failes on roles that omit some
networks.

For now workaround it by filtering out the bad certificate specs in
puppet-tripleo.
A similar workaround was implemented for apache in
I651919488cb68b0b9878b4e21ab376bfc6e3f0fe.

Closes-bug: #1905604
Change-Id: I6f165491228f05539193f2e762b1b10320f52c36

manifests/profile/base/certmonger_user.pp

@@ -219,7 +219,11 @@ class tripleo::profile::base::certmonger_user (
     if $certmonger_ca == 'local' {
         include tripleo::certmonger::ca::local
     }
-    unless empty($haproxy_certificates_specs) {
+
+    # Remove haproxy_certificates_specs where hostname is empty.
+    # Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604
+    $haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
+    unless empty($haproxy_certificates_specs_filtered) {
       $reload_haproxy = ['systemctl reload tripleo_haproxy']
       Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
       if defined(Class['::haproxy']) {
@@ -258,9 +262,9 @@ class tripleo::profile::base::certmonger_user (
       ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
                         {'postsave_cmd' => $qemu_postsave_cmd})
     }
-    unless empty($haproxy_certificates_specs) {
+    unless empty($haproxy_certificates_specs_filtered) {
       include tripleo::certmonger::haproxy_dirs
-      ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+      ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered)
       # The haproxy fronends (or listen resources) depend on the certificate
       # existing and need to be refreshed if it changed.
       Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>