From 854a09585dcba29ebfad4dc7f85693ec96f77a2f Mon Sep 17 00:00:00 2001 From: Wyatt Rees Date: Mon, 26 Aug 2024 15:47:50 -0600 Subject: [PATCH] Add configuration option for maas-region to setup TLS Termination on it's end. Change agent-service to agent_service to comply with underscore convention --- anvil-python/anvil/commands/haproxy.py | 4 ++-- anvil-python/anvil/commands/maas_region.py | 10 +++++++++- cloud/etc/deploy-maas-region/main.tf | 9 ++++++++- cloud/etc/deploy-maas-region/variables.tf | 6 ++++++ 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/anvil-python/anvil/commands/haproxy.py b/anvil-python/anvil/commands/haproxy.py index 519e7ac..c280165 100644 --- a/anvil-python/anvil/commands/haproxy.py +++ b/anvil-python/anvil/commands/haproxy.py @@ -29,7 +29,6 @@ AddMachineUnitsStep, DeployMachineApplicationStep, ) -from sunbeam.utils import get_local_ip_by_default_route from anvil.jobs.manifest import Manifest from anvil.jobs.steps import RemoveMachineUnitStep @@ -71,6 +70,7 @@ def validate_key_file(filepath: str | None) -> None: except PermissionError: raise ValueError(f"Permission denied when trying to read {filepath}") + def validate_virtual_ip(value: str) -> str: """We allow passing an empty IP for virtual_ip""" if value == "": @@ -229,7 +229,7 @@ def get_tls_services_yaml(self) -> str: - http-request redirect scheme https unless { ssl_fc } server_options: maxconn 100 cookie S{i} check crts: [DEFAULT] -- service_name: agent-service +- service_name: agent_service service_host: 0.0.0.0 service_port: 80 service_options: diff --git a/anvil-python/anvil/commands/maas_region.py b/anvil-python/anvil/commands/maas_region.py index 4f60ef2..b1497eb 100644 --- a/anvil-python/anvil/commands/maas_region.py +++ b/anvil-python/anvil/commands/maas_region.py @@ -17,6 +17,7 @@ from sunbeam.clusterd.client import Client from sunbeam.commands.terraform import TerraformInitStep +from sunbeam.jobs import questions from sunbeam.jobs.common import BaseStep from sunbeam.jobs.juju import JujuHelper from sunbeam.jobs.steps import ( @@ -24,6 +25,7 @@ DeployMachineApplicationStep, ) +from anvil.commands.haproxy import HAPROXY_CONFIG_KEY from anvil.jobs.manifest import Manifest from anvil.jobs.steps import RemoveMachineUnitStep @@ -70,7 +72,13 @@ def extra_tfvars(self) -> dict[str, Any]: if self.client.cluster.list_nodes_by_role("haproxy") else False ) - return {"enable_haproxy": enable_haproxy} + variables: dict[str, Any] = {"enable_haproxy": enable_haproxy} + haproxy_vars: dict[str, Any] = questions.load_answers( + self.client, HAPROXY_CONFIG_KEY + ) + if enable_haproxy and "ssl_cert" in haproxy_vars: + variables["tls_mode"] = "termination" + return variables class AddMAASRegionUnitsStep(AddMachineUnitsStep): diff --git a/cloud/etc/deploy-maas-region/main.tf b/cloud/etc/deploy-maas-region/main.tf index c08dd5e..95baab0 100644 --- a/cloud/etc/deploy-maas-region/main.tf +++ b/cloud/etc/deploy-maas-region/main.tf @@ -30,6 +30,10 @@ data "juju_model" "machine_model" { name = var.machine_model } +locals { + tls_mode = var.tls_mode != "" ? { tls_mode = var.tls_mode } : {} +} + resource "juju_application" "maas-region" { name = "maas-region" model = data.juju_model.machine_model.name @@ -42,7 +46,10 @@ resource "juju_application" "maas-region" { base = "ubuntu@22.04" } - config = var.charm_maas_region_config + config = merge( + local.tls_mode, + var.charm_maas_region_config, + ) } resource "juju_application" "pgbouncer" { diff --git a/cloud/etc/deploy-maas-region/variables.tf b/cloud/etc/deploy-maas-region/variables.tf index ffc71bc..3a617fb 100644 --- a/cloud/etc/deploy-maas-region/variables.tf +++ b/cloud/etc/deploy-maas-region/variables.tf @@ -71,3 +71,9 @@ variable "max_connections_per_region" { type = number default = 50 } + +variable "tls_mode" { + description = "TLS Mode for MAAS Region charm ('', 'termination', or 'passthrough')" + type = string + default = "" +} \ No newline at end of file