summaryrefslogtreecommitdiffstats
path: root/manifests/haproxy/endpoint.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/haproxy/endpoint.pp')
-rw-r--r--manifests/haproxy/endpoint.pp33
1 files changed, 24 insertions, 9 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 4311049..da2aba3 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -36,7 +36,7 @@
#
# [*public_virtual_ip*]
# Address in which the proxy endpoint will be listening in the public network.
-# If this service is internal only this should be ommited.
+# If this service is internal only this should be ommitted.
# Defaults to undef.
#
# [*mode*]
@@ -149,14 +149,29 @@ define tripleo::haproxy::endpoint (
}
if hiera('manage_firewall', true) {
include ::tripleo::firewall
- $firewall_rules = {
- "100 ${name}_haproxy" => {
- 'dport' => $service_port,
- },
- "100 ${name}_haproxy_ssl" => {
- 'dport' => $public_ssl_port,
- },
+ # This block will construct firewall rules only when we specify
+ # a port for the regular service and also the ssl port for the service.
+ # It makes sure we're not trying to create TCP iptables rules where no port
+ # is specified.
+ if $service_port {
+ $haproxy_firewall_rules = {
+ "100 ${name}_haproxy" => {
+ 'dport' => $service_port,
+ },
+ }
+ }
+ if $public_ssl_port {
+ $haproxy_ssl_firewall_rules = {
+ "100 ${name}_haproxy_ssl" => {
+ 'dport' => $public_ssl_port,
+ },
+ }
+ } else {
+ $haproxy_ssl_firewall_rules = {}
+ }
+ $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
+ if $service_port or $public_ssl_port {
+ create_resources('tripleo::firewall::rule', $firewall_rules)
}
- create_resources('tripleo::firewall::rule', $firewall_rules)
}
}