Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: TLS passthrough #67

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

feat: TLS passthrough #67

wants to merge 21 commits into from

Conversation

wyattrees
Copy link
Contributor

Adds configuration for passing encrypted requests through HAProxy, to MAAS.

Requires merging of canonical/maas-charms#220. Until it is merged, you can use latest/edge/passthrough-test for the maas-region charm channel

@wyattrees
Copy link
Contributor Author

Note: the git history is a bit messed up on this, since my branch was originally branched off of my TLS Termination branch

skatsaounis
skatsaounis requested changes Sep 5, 2024
View reviewed changes
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
@skatsaounis skatsaounis linked an issue Sep 6, 2024 that may be closed by this pull request
[feature-request] Enable TLS in MAAS #44
Open
skatsaounis
skatsaounis requested changes Sep 6, 2024
View reviewed changes
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
cloud/etc/deploy-maas-region/variables.tf Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
SK1Y101
SK1Y101 previously approved these changes Sep 24, 2024
View reviewed changes
Copy link
Member

@SK1Y101 SK1Y101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not much extra to add, looks good

anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
skatsaounis
skatsaounis requested changes Oct 3, 2024
View reviewed changes
Copy link
Collaborator

@skatsaounis skatsaounis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for taking care of the comments. I added a couple more but hopefully the last ones. In addition to those, could you also rebase to latest main?

anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated
return
try:
# just make sure we can open the file
with open(filepath):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and remove lines 78,79. If we decide to leave the checks for cert and key, let's do the same for cacert

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little confused between this comment and the one above--are we leaving the check or removing it? The purpose behind checking was more to make sure they didn't accidentally pass a private key file as a cert or vice versa, not to fully check that the certificate is actually a valid one. I'm going to leave the check as the suggestion above gives for now.

anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Show resolved Hide resolved
anvil-python/anvil/commands/maas_region.py Show resolved Hide resolved
anvil-python/anvil/commands/haproxy.py Outdated Show resolved Hide resolved
wyattrees and others added 20 commits October 3, 2024 10:36
@wyattrees
Add prompt for ssl certificate and key for HAProxy, add to tf variabl…
56ce685 
…es. Set tls config via settings yaml crts directory.

Add instructions for TLS termination to README
@wyattrees
Use separate terraform variable to set services yaml
478f512
@wyattrees
Formatting
3e921df
@skatsaounis @wyattrees
suggestions
8fcfb81
@wyattrees
Add https redirect, bind agent service to IP address in local network…
6b924f3 
…, add acl for access to port 80
@wyattrees
get management cdirs from database. better error handling around veri…
6318e35 
…fying cert/key files
@wyattrees
Add configuration option for maas-region to setup TLS Termination on …
b89840d 
…it's end. Change agent-service to agent_service to comply with underscore convention
@wyattrees
Add question for tls mode
480cc4d
@wyattrees
Pass ssl_cert and ssl_key from haproxy question bank to maas-region c…
ad221dd 
…harm config
@wyattrees
Pass contents of ssl key/cert to maas-region variables instead of fil…
f46eb28 
…epath. Let maas-region handle creating the files in the proper place
@wyattrees
Merge cleanup
fb2f7dd
@wyattrees
remove duplicate tls_mode variable in maas-region variables.tf
d0f7b3c
@wyattrees
revert default values for ssl_cert and ssl_key question answers to em…
022f124 
…pty string instead of None. Make default tls_mode value 'disabled' instead of empty string
@wyattrees
Save ssl_cert and ssl_key in variables, load content in extra_tfvars
9acb0ec
@wyattrees
Ask tls questions during maas-region init step if haproxy unit is not…
32c57db 
… to be installed. Add ssl_cacert variable
@wyattrees
Allow empty string for ssl cert/key, question prompt for tls mode dis…
c925753 
…plays valid tls modes based on roles
@wyattrees
lint
907c7d7
@wyattrees
check file existence in try/catch block instead of using os.path.is_file
fd8e317
@wyattrees
add back in basic validation for CA cert chain. Include tls questions…
cc11be7 
… in preseed and manifest, and create section for maas-region in preseed/manifest. do not pass CA cert to ha proxy charm variables
@wyattrees
Cleanup
0886324
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skatsaounis skatsaounis skatsaounis requested changes

@SK1Y101 SK1Y101 SK1Y101 left review comments

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature-request] Enable TLS in MAAS
3 participants
@wyattrees @skatsaounis @SK1Y101