1 files changed, 24 insertions, 9 deletions

diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 4311049..da2aba3 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -36,7 +36,7 @@
 #
 # [*public_virtual_ip*]
 #  Address in which the proxy endpoint will be listening in the public network.
-#  If this service is internal only this should be ommited.
+#  If this service is internal only this should be ommitted.
 #  Defaults to undef.
 #
 # [*mode*]
@@ -149,14 +149,29 @@ define tripleo::haproxy::endpoint (
   }
   if hiera('manage_firewall', true) {
     include ::tripleo::firewall
-    $firewall_rules = {
-      "100 ${name}_haproxy"     => {
-        'dport' => $service_port,
-      },
-      "100 ${name}_haproxy_ssl" => {
-        'dport' => $public_ssl_port,
-      },
+    # This block will construct firewall rules only when we specify
+    # a port for the regular service and also the ssl port for the service.
+    # It makes sure we're not trying to create TCP iptables rules where no port
+    # is specified.
+    if $service_port {
+      $haproxy_firewall_rules = {
+        "100 ${name}_haproxy"     => {
+          'dport' => $service_port,
+        },
+      }
+    }
+    if $public_ssl_port {
+      $haproxy_ssl_firewall_rules = {
+        "100 ${name}_haproxy_ssl" => {
+          'dport' => $public_ssl_port,
+        },
+      }
+    } else {
+      $haproxy_ssl_firewall_rules = {}
+    }
+    $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
+    if $service_port or $public_ssl_port {
+      create_resources('tripleo::firewall::rule', $firewall_rules)
     }
-    create_resources('tripleo::firewall::rule', $firewall_rules)
   }
 }