add back in basic validation for CA cert chain. Include tls questions…

… in preseed and manifest, and create section for maas-region in preseed/manifest. do not pass CA cert to ha proxy charm variables

anvil-python/anvil/commands/haproxy.py

@@ -75,9 +75,9 @@ def validate_cacert_chain(filepath: str) -> None:
     if filepath == "":
         return
     try:
-        # just make sure we can open the file
-        with open(filepath):
-            pass
+        with open(filepath) as f:
+            if "BEGIN CERTIFICATE" not in f.read():
+                raise ValueError("Invalid CA certificate file")
     except FileNotFoundError:
         raise ValueError(f"{filepath} does not exist")
     except PermissionError:
@@ -115,7 +115,7 @@ def tls_questions(tls_modes: list[str]) -> dict[str, questions.PromptQuestion]:
             validation_function=validate_key_file,
         ),
         "ssl_cacert": questions.PromptQuestion(
-            "Path to cacert chain, for use with self-signed ssl certificates (enter nothing to skip)",
+            "Path to CA cert chain, for use with self-signed SSL certificates (enter nothing to skip)",
             default_value="",
             validation_function=validate_cacert_chain,
         ),
@@ -253,9 +253,6 @@ def extra_tfvars(self) -> dict[str, Any]:
                 variables["ssl_cert_content"] = cert_file.read()
             with open(variables["ssl_key"]) as key_file:
                 variables["ssl_key_content"] = key_file.read()
-            if variables["ssl_cacert"]:
-                with open(variables["ssl_cacert"]) as cacert_file:
-                    variables["ssl_cacert_content"] = cacert_file.read()
         else:
             variables["haproxy_port"] = 80
 

anvil-python/anvil/provider/local/deployment.py

@@ -26,7 +26,16 @@
     LocalDeployment as SunbeamLocalDeployment,
 )
 
-from anvil.commands.haproxy import HAPROXY_CONFIG_KEY, haproxy_questions
+from anvil.commands.haproxy import (
+    HAPROXY_CONFIG_KEY,
+    HAPROXY_VALID_TLS_MODES,
+    haproxy_questions,
+    tls_questions,
+)
+from anvil.commands.maas_region import (
+    MAAS_REGION_VALID_TLS_MODES,
+    MAASREGION_CONFIG_KEY,
+)
 from anvil.commands.postgresql import (
     POSTGRESQL_CONFIG_KEY,
     postgresql_questions,
@@ -77,14 +86,30 @@ def generate_preseed(self, console: Console) -> str:
             variables = load_answers(client, HAPROXY_CONFIG_KEY)
         except ClusterServiceUnavailableException:
             variables = {}
+        qs = haproxy_questions()
+        qs.update(tls_questions(HAPROXY_VALID_TLS_MODES))
         haproxy_config_bank = QuestionBank(
-            questions=haproxy_questions(),
+            questions=qs,
             console=console,
             previous_answers=variables,
         )
         preseed_content.extend(
             show_questions(haproxy_config_bank, section="haproxy")
         )
 
+        # MAAS region questions
+        try:
+            variables = load_answers(client, MAASREGION_CONFIG_KEY)
+        except ClusterServiceUnavailableException:
+            variables = {}
+        maas_region_config_bank = QuestionBank(
+            questions=tls_questions(MAAS_REGION_VALID_TLS_MODES),
+            console=console,
+            previous_answers=variables,
+        )
+        preseed_content.extend(
+            show_questions(maas_region_config_bank, section="maas-region")
+        )
+
         preseed_content_final = "\n".join(preseed_content)
         return preseed_content_final

anvil-python/anvil/versions.py

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-MAAS_REGION_CHANNEL = "3.5/edge"
+MAAS_REGION_CHANNEL = "latest/edge/wyatt-test"
 MAAS_AGENT_CHANNEL = "3.5/edge"
 POSTGRESQL_CHANNEL = "14/stable"
 HAPROXY_CHANNEL = "latest/stable"