From 71f2a53cb9e1385b22e3a47524fcc5531743ec90 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Thu, 16 Jun 2016 17:03:27 -0400
Subject: deploy composable firewall rules for HAproxy

Deploy composable iptables rules for HAproxy.
Note: we can't use Hiera here because we have some logic in
puppet-tripelo that select the services that we actually deploy.
Using this code in the Define will easily create IPtables rules that we
actually need. Some other services will be able to create IPtables rules
in Hiera (in THT), but not HAproxy now.

Change-Id: If03b18992c68461e97789c0318078a0b243c84fe
---
 manifests/haproxy/endpoint.pp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 94bfcff..ac6cb6c 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -117,4 +117,16 @@ define tripleo::haproxy::endpoint (
     server_names      => $server_names,
     options           => $member_options,
   }
+  if hiera('manage_firewall', true) {
+    include ::tripleo::firewall
+    $firewall_rules = {
+      "100 ${name}_haproxy"     => {
+        'dport' => $service_port,
+      },
+      "100 ${name}_haproxy_ssl" => {
+        'dport' => $public_ssl_port,
+      },
+    }
+    create_resources('tripleo::firewall::rule', $firewall_rules)
+  }
 }
-- 
cgit 1.2.3-korg