Fix the mounting issues for the TLS everywhere deployment

This patch adds the CRL directory to the haproxy in case of TLS
everywhere deployment.

NOTE: The queens backport doesn't contain duplicate mountpoint fixes
which only apply to train.

Closes-Bug: #1860641
Resolves: rhbz#1698058

Change-Id: I7d18befc51a4afb404b39ebdd8b1ccab4dfdf744
(cherry picked from commit c155ea701e)

docker/services/haproxy.yaml

@@ -82,6 +82,10 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  InternalTLSCRLPEMDir:
+    default: '/etc/pki/CA/crl/'
+    type: string
+    description: The directory of the CRL PEM file to be mounted.
   ConfigDebug:
     default: false
     description: Whether to run config management (e.g. Puppet) in debug mode.
@@ -162,6 +166,11 @@ outputs:
                   - - {get_param: InternalTLSCAFile}
                     - {get_param: InternalTLSCAFile}
                     - 'ro'
+              - list_join:
+                  - ':'
+                  - - {get_param: InternalTLSCRLPEMDir}
+                    - {get_param: InternalTLSCRLPEMDir}
+                    - 'ro'
             - null
       kolla_config:
         /var/lib/kolla/config_files/haproxy.json:
@@ -247,8 +256,8 @@ outputs:
                         - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
                         - list_join:
                             - ':'
-                            - - {get_param: InternalTLSCAFile}
-                              - {get_param: InternalTLSCAFile}
+                            - - {get_param: InternalTLSCRLPEMDir}
+                              - {get_param: InternalTLSCRLPEMDir}
                               - 'ro'
                       - null
               environment: