Add configuration option for maas-region to setup TLS Termination on …

…it's end. Change agent-service to agent_service to comply with underscore convention
canonical · Aug 28, 2024 · 854a095 · 854a095
1 parent 5f430d0
commit 854a095
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/anvil-python/anvil/commands/haproxy.py b/anvil-python/anvil/commands/haproxy.py
@@ -29,7 +29,6 @@
     AddMachineUnitsStep,
     DeployMachineApplicationStep,
 )
-from sunbeam.utils import get_local_ip_by_default_route
 
 from anvil.jobs.manifest import Manifest
 from anvil.jobs.steps import RemoveMachineUnitStep
@@ -71,6 +70,7 @@ def validate_key_file(filepath: str | None) -> None:
     except PermissionError:
         raise ValueError(f"Permission denied when trying to read {filepath}")
 
+
 def validate_virtual_ip(value: str) -> str:
     """We allow passing an empty IP for virtual_ip"""
     if value == "":
@@ -229,7 +229,7 @@ def get_tls_services_yaml(self) -> str:
     - http-request redirect scheme https unless { ssl_fc }
   server_options: maxconn 100 cookie S{i} check
   crts: [DEFAULT]
-- service_name: agent-service
+- service_name: agent_service
   service_host: 0.0.0.0
   service_port: 80
   service_options:

diff --git a/anvil-python/anvil/commands/maas_region.py b/anvil-python/anvil/commands/maas_region.py
@@ -17,13 +17,15 @@
 
 from sunbeam.clusterd.client import Client
 from sunbeam.commands.terraform import TerraformInitStep
+from sunbeam.jobs import questions
 from sunbeam.jobs.common import BaseStep
 from sunbeam.jobs.juju import JujuHelper
 from sunbeam.jobs.steps import (
     AddMachineUnitsStep,
     DeployMachineApplicationStep,
 )
 
+from anvil.commands.haproxy import HAPROXY_CONFIG_KEY
 from anvil.jobs.manifest import Manifest
 from anvil.jobs.steps import RemoveMachineUnitStep
 
@@ -70,7 +72,13 @@ def extra_tfvars(self) -> dict[str, Any]:
             if self.client.cluster.list_nodes_by_role("haproxy")
             else False
         )
-        return {"enable_haproxy": enable_haproxy}
+        variables: dict[str, Any] = {"enable_haproxy": enable_haproxy}
+        haproxy_vars: dict[str, Any] = questions.load_answers(
+            self.client, HAPROXY_CONFIG_KEY
+        )
+        if enable_haproxy and "ssl_cert" in haproxy_vars:
+            variables["tls_mode"] = "termination"
+        return variables
 
 
 class AddMAASRegionUnitsStep(AddMachineUnitsStep):

diff --git a/cloud/etc/deploy-maas-region/main.tf b/cloud/etc/deploy-maas-region/main.tf
@@ -30,6 +30,10 @@ data "juju_model" "machine_model" {
   name = var.machine_model
 }
 
+locals {
+  tls_mode = var.tls_mode != "" ? { tls_mode = var.tls_mode } : {}
+}
+
 resource "juju_application" "maas-region" {
   name  = "maas-region"
   model = data.juju_model.machine_model.name
@@ -42,7 +46,10 @@ resource "juju_application" "maas-region" {
     base     = "ubuntu@22.04"
   }
 
-  config = var.charm_maas_region_config
+  config = merge(
+    local.tls_mode,
+    var.charm_maas_region_config,
+  )
 }
 
 resource "juju_application" "pgbouncer" {

diff --git a/cloud/etc/deploy-maas-region/variables.tf b/cloud/etc/deploy-maas-region/variables.tf
@@ -71,3 +71,9 @@ variable "max_connections_per_region" {
   type        = number
   default     = 50
 }
+
+variable "tls_mode" {
+  description = "TLS Mode for MAAS Region charm ('', 'termination', or 'passthrough')"
+  type        = string
+  default     = ""
+}