diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 3145b36c8d..dba4440a1a 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -248,17 +248,16 @@ outputs:
                                 - {get_param: DeployedSSLCertificatePath}
                           - 'ro'
                     - null
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
-                        - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
-                        - list_join:
-                            - ':'
-                            - - {get_param: InternalTLSCAFile}
-                              - {get_param: InternalTLSCAFile}
-                              - 'ro'
-                      - null
+                  - if:
+                    - internal_tls_enabled
+                    - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
+                      - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
+                      - list_join:
+                          - ':'
+                          - - {get_param: InternalTLSCAFile}
+                            - {get_param: InternalTLSCAFile}
+                            - 'ro'
+                    - null
               environment:
                 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       upgrade_tasks:
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 6f8bdb386e..859c1f132f 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -77,6 +77,9 @@ parameters:
     description: >
         The filepath of the certificate as it will be stored in the controller.
     type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -101,6 +104,7 @@ conditions:
       - equals:
           - {get_param: PublicSSLCertificateAutogenerated}
           - true
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -139,7 +143,6 @@ outputs:
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
-            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
             tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
             tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
             enable_load_balancer: {get_param: EnableLoadBalancer}
@@ -151,6 +154,10 @@ outputs:
               - public_tls_enabled
               - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
               - {}
+          - if:
+              - internal_tls_enabled
+              - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
+              - null
           - get_attr: [HAProxyPublicTLS, role_data, config_settings]
           - get_attr: [HAProxyInternalTLS, role_data, config_settings]
       step_config: |