Pass contents of ssl key/cert to maas-region variables instead of fil…

…epath. Let maas-region handle creating the files in the proper place

anvil-python/anvil/commands/haproxy.py

@@ -48,7 +48,11 @@
 
 def validate_cert_file(filepath: str | None) -> None:
     if filepath is None:
-        return
+        # This question is only asked when tls_mode is "termination" or "passthrough"
+        # so not supplying a file is not an option.
+        raise ValueError(
+            "Please provide a certificate file when enabling TLS."
+        )
     if not os.path.isfile(filepath):
         raise ValueError(f"{filepath} does not exist")
     try:
@@ -61,7 +65,11 @@ def validate_cert_file(filepath: str | None) -> None:
 
 def validate_key_file(filepath: str | None) -> None:
     if filepath is None:
-        return
+        # This question is only asked when tls_mode is "termination" or "passthrough"
+        # so not supplying a file is not an option.
+        raise ValueError(
+            "Please provide a certificate file when enabling TLS."
+        )
     if not os.path.isfile(filepath):
         raise ValueError(f"{filepath} does not exist")
     try:
@@ -81,6 +89,7 @@ def validate_virtual_ip(value: str) -> str:
     except ValueError as e:
         raise ValueError(f"{value} is not a valid IP address: {e}")
 
+
 def validate_tls_mode(value: str) -> None:
     if value not in VALID_TLS_MODES:
         raise ValueError(f"TLS Mode must be one of {VALID_TLS_MODES}")
@@ -104,8 +113,8 @@ def haproxy_questions() -> dict[str, questions.PromptQuestion]:
             validation_function=validate_key_file,
         ),
         "tls_mode": questions.PromptQuestion(
-            "TLS termination at HA Proxy (\"termination\"), or passthrough to MAAS (\"passthrough\")?",
-            default_value="termination",
+            'TLS termination at HA Proxy ("termination"), passthrough to MAAS ("passthrough"), or no TLS ("")?',
+            default_value="",
             validation_function=validate_tls_mode,
         ),
     }
@@ -162,15 +171,15 @@ def has_prompts(self) -> bool:
     def prompt(self, console: Console | None = None) -> None:
         variables = questions.load_answers(self.client, self._HAPROXY_CONFIG)
         variables.setdefault("virtual_ip", "")
-        variables.setdefault("ssl_cert", None)
-        variables.setdefault("ssl_key", None)
-        variables.setdefault("tls_mode", "termination")
+        variables.setdefault("ssl_cert_content", "")
+        variables.setdefault("ssl_key_content", "")
+        variables.setdefault("tls_mode", "")
 
         # Set defaults
         self.preseed.setdefault("virtual_ip", "")
         self.preseed.setdefault("ssl_cert", None)
         self.preseed.setdefault("ssl_key", None)
-        self.preseed.setdefault("tls_mode", "termination")
+        self.preseed.setdefault("tls_mode", "")
 
         haproxy_config_bank = questions.QuestionBank(
             questions=haproxy_questions(),
@@ -179,15 +188,15 @@ def prompt(self, console: Console | None = None) -> None:
             previous_answers=variables,
             accept_defaults=self.accept_defaults,
         )
-
-        cert_filepath = haproxy_config_bank.ssl_cert.ask()
-        variables["ssl_cert"] = cert_filepath
-        key_filepath = haproxy_config_bank.ssl_key.ask()
-        variables["ssl_key"] = key_filepath
-        tls_mode = ""
-        if variables["ssl_cert"] is not None:
-            tls_mode = haproxy_config_bank.tls_mode.ask()
+        tls_mode = haproxy_config_bank.tls_mode.ask()
         variables["tls_mode"] = tls_mode
+        if tls_mode:
+            cert_filepath = haproxy_config_bank.ssl_cert.ask()
+            key_filepath = haproxy_config_bank.ssl_key.ask()
+            with open(cert_filepath) as cert_file:
+                variables["ssl_cert_content"] = cert_file.read()
+            with open(key_filepath) as key_file:
+                variables["ssl_key_content"] = key_file.read()
         virtual_ip = haproxy_config_bank.virtual_ip.ask()
         variables["virtual_ip"] = virtual_ip
 
@@ -199,21 +208,15 @@ def extra_tfvars(self) -> dict[str, Any]:
             self.client, self._HAPROXY_CONFIG
         )
 
-        cert_filepath = variables["ssl_cert"]
-        key_filepath = variables["ssl_key"]
-        if cert_filepath is not None and key_filepath is not None:
-            with open(cert_filepath) as cert_file:
-                variables["ssl_cert_content"] = cert_file.read()
-            with open(key_filepath) as key_file:
-                variables["ssl_key_content"] = key_file.read()
+        if variables["tls_mode"]:
             variables["haproxy_port"] = 443
-            variables["haproxy_services_yaml"] = self.get_tls_services_yaml(variables["tls_mode"])
+            variables["haproxy_services_yaml"] = self.get_tls_services_yaml(
+                variables["tls_mode"]
+            )
         else:
             variables["haproxy_port"] = 80
 
         # Terraform does not need the content of these answers
-        variables.pop("ssl_cert", None)
-        variables.pop("ssl_key", None)
         variables.pop("tls_mode", None)
 
         LOG.debug(f"extra tfvars: {variables}")
@@ -236,9 +239,12 @@ def get_tls_services_yaml(self, tls_mode: str) -> str:
   service_options:
     - balance leastconn
     - cookie SRVNAME insert
-    - http-request redirect scheme https unless { ssl_fc }
-  server_options: maxconn 100 cookie S{i} check
-  """ + ("crts: [DEFAULT]" if tls_mode == "termination" else "") + """
+    - http-request redirect scheme https unless { ssl_fc }"""
+            + ("\n    - mode tcp" if tls_mode == "passthrough" else "")
+            + """
+  server_options: maxconn 100 cookie S{i} check"""
+            + ("\n  crts: [DEFAULT]" if tls_mode == "termination" else "")
+            + """
 - service_name: agent_service
   service_host: 0.0.0.0
   service_port: 80

anvil-python/anvil/commands/maas_region.py

@@ -77,9 +77,9 @@ def extra_tfvars(self) -> dict[str, Any]:
             self.client, HAPROXY_CONFIG_KEY
         )
         variables["tls_mode"] = haproxy_vars["tls_mode"]
-        if variables["tls_mode"]:
-            variables["ssl_cert"] = haproxy_vars["ssl_cert"]
-            variables["ssl_key"] = haproxy_vars["ssl_key"]
+        if variables["tls_mode"] == "passthrough":
+            variables["ssl_cert_content"] = haproxy_vars["ssl_cert_content"]
+            variables["ssl_key_content"] = haproxy_vars["ssl_key_content"]
         return variables
 
 

cloud/etc/deploy-maas-region/main.tf

@@ -32,8 +32,8 @@ data "juju_model" "machine_model" {
 
 locals {
   tls_mode = var.tls_mode != "" ? { tls_mode = var.tls_mode } : {}
-  ssl_cert = var.ssl_cert != "" ? { ssl_cert = var.ssl_cert } : {}
-  ssl_key  = var.ssl_key != "" ? { ssl_key = var.ssl_key } : {}
+  ssl_cert_content = var.ssl_cert_content != "" ? { ssl_cert_content = var.ssl_cert_content } : {}
+  ssl_key_content  = var.ssl_key_content != "" ? { ssl_key_content = var.ssl_key_content } : {}
 }
 
 resource "juju_application" "maas-region" {
@@ -50,8 +50,8 @@ resource "juju_application" "maas-region" {
 
   config = merge(
     local.tls_mode,
-    local.ssl_cert,
-    local.ssl_key,
+    local.ssl_cert_content,
+    local.ssl_key_content,
     var.charm_maas_region_config,
   )
 }

cloud/etc/deploy-maas-region/variables.tf

@@ -78,14 +78,14 @@ variable "tls_mode" {
   default     = ""
 }
 
-variable "ssl_cert" {
-  description = "Path to SSL certificate for tls_mode=passthrough"
+variable "ssl_cert_content" {
+  description = "SSL certificate for tls_mode=passthrough"
   type        = string
   default     = ""
 }
 
-variable "ssl_key" {
-  description = "Path to SSL private key for tls_mode=passthrough"
+variable "ssl_key_content" {
+  description = "SSL private key for tls_mode=passthrough"
   type        = string
   default     = ""
 }