commit 3916c156be9e06605ce7ee16c009751f5e4c1143
Author: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Date:   Tue Sep 22 17:25:23 2020 +0200

    Add support for with_frontend and with_backend
    
    This allows for more config flexibility - e.g. running multiple
    backends with a common frontend.
    
    Note this is a building block for future work on letsencrypt
    validator (which should offer backend and share frontend with
    any service running off 80/443 - which would be only horizon
    in the current default config), as well as any work towards
    single port (that is single frontend) and multiple services
    anchored at paths of it (which is the new recommended default).
    
    Change-Id: Ie088fcf575e4b5e8775f1f89dd705a275725e26d
    Partially-Implements: blueprint letsencrypt-https

diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
index 3712da9..f5e2fa9 100644
--- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
+++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -111,6 +111,10 @@ backend {{ service_name }}_back
         {% set custom_member_list = haproxy_service.custom_member_list|default(none) %}
         {# Mode defaults to http #}
         {% set mode = haproxy_service.mode|default('http') %}
+        {# By default each service has its own frontend (hence with_frontend is true by default) #}
+        {% set with_frontend = haproxy_service.with_frontend|default(true)|bool %}
+        {# By default each service has its own backend (hence with_backend is true by default) #}
+        {% set with_backend = haproxy_service.with_backend|default(true)|bool %}
         {# Use the parent host group but allow it to be overridden #}
         {% set host_group = haproxy_service.host_group|default(service.group) %}
         {# Additional options can be defined in config, and are additive to the global extras #}
@@ -125,10 +129,12 @@ backend {{ service_name }}_back
         {% if auth_user and auth_pass %}
 {{ userlist_macro(haproxy_name, auth_user, auth_pass) }}
         {% endif %}
+        {% if with_frontend %}
 {{ frontend_macro(haproxy_name, haproxy_service.port, mode, external,
                   frontend_http_extra, frontend_tcp_extra) }}
+        {% endif %}
         {# Redirect (to https) is a special case, as it does not include a backend #}
-        {% if mode != 'redirect' %}
+        {% if with_backend and mode != 'redirect' %}
 {{ backend_macro(haproxy_name, listen_port, mode, host_group,
                  custom_member_list, backend_http_extra, backend_tcp_extra,
                  auth_user, auth_pass, tls_backend) }}
diff --git a/releasenotes/notes/haproxy-not-all-ends-ea1b2961f039abe7.yaml b/releasenotes/notes/haproxy-not-all-ends-ea1b2961f039abe7.yaml
new file mode 100644
index 0000000..6b0b519
--- /dev/null
+++ b/releasenotes/notes/haproxy-not-all-ends-ea1b2961f039abe7.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    (internal/advanced) Adds support for ``with_frontend`` and ``with_backend``
+    to haproxy service definitions. These new fields preserve the old logic
+    by defaulting to ``true`` but can be set to ``false`` to make the selected
+    service not configure the respective "end".
+    This requires ``haproxy_service_template`` to be set to
+    ``haproxy_single_service_split.cfg.j2`` which is the new default.