add prod os CA and make haproxy use it

roles/haproxy/files/os-master.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
+c2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcwHhcNMTcwODIyMTgyODI2WhcNMjIwODIx
+MTgyODI3WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MDM0MjY1MDcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8x8mVwkQA0pPPcMNUKwuz
+nthngidbnIK1KPN9OLEkudgxASVMYmNNjAMc1vz5YxGgRURr6AL+tQPLnFfn5GWD
+LbP3FkniCpkg5OAgZTTm9MWXQoO+HmFY7wGdBd9VQXOoVLovSL3IvrFqE9CReRLU
+FPA8/z7sZ+4fDSB9+Clk7BoVLiJ7NeD8BzcKHqe7CFt9PYgH2WtK5nOlduVDRjwv
+yOjACtzy1TXxAXec+1m0WkIfPdQ34enbd7U5b9T/jiuQVGp7RcrcQfHTqhyPeiXk
+yz/QGqXB4h9M0SZJVdx47zXVW+t8kA5i8VajDqFdZe8iwR7IIEEG+6WMJk/2JkaP
+AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQBIjnRqG7kc2x24F4fJoUKDOwmHXPpuwVNZwR/8PnBs1KWM
+xmvst3ZJJ7+ZgVuLxauO9pAK9aqlWTC0LkJIskIT6Jj5vbENDSycuxty7eadYVDM
+zvJdtR4vuxQ4qdMzM9xcAaY5hfyDzK3c8wzAPzq++blzcxJzVcszKp8+sVRy0o0g
+/4MVFPN0ddKqDXrBV5gQt+c3FLg7a2RVUhED523V3dRlui4nxy9C1M8BqMs6RDu9
+b9AA8KQCVwHTb/FWgKkEyZDcDK+Ph5Qrn6v9eKCyKpYabqbqc1W0Ugi93+JYdn5z
+vXDoM/KSvt0NR1JWEy3n3dATp4eHJAbGkCNNW5pW
+-----END CERTIFICATE-----

roles/haproxy/templates/haproxy.cfg

@@ -428,7 +428,6 @@ listen  mbs 0.0.0.0:10063
     server  mbs-frontend02 mbs-frontend02:80 check inter 20s rise 2 fall 3
     option  httpchk GET /module-build-service/1/module-builds/
 
-{% if env == "staging" %}
 listen  os-master 0.0.0.0:10064
     balance hdr(appserver)
     server os-master01 os-master01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/os-master.pem
@@ -442,8 +441,6 @@ listen  os-nodes 0.0.0.0:10065
     server os-node02 os-node02:443 check inter 10s rise 1 fall 2 ssl verify none
     option  httpchk GET /
     http-check expect status 503
-{% endif %}
-
 
 # Apache doesn't handle the initial connection here like the other proxy
 # entries.  This proxy also doesn't use the http mode like the others.