ERP5: Test balancer partition and use caucase certificate for balancer
Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now. Use [managed resources](nexedi/slapos.core!259) to simplify existing tests and introduce tests for: ## Access Log - [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests. - [x] these logs should be rotated daily - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily. ## Balancing - [x] requests are balanced to multiple backends using round-robin algorithm - [x] if backend is down it is excluded - [x] a "sticky cookie" is used so that clients are associated to the same backend - [x] the cookie is set by balancer - [x] when client comes with a cookie it "sticks" on the associated backend - [x] if "sticked" backend is down, another backend will be used ## Content-Encoding - [x] balancer encodes responses in gzip for some configured content types. ## HTTP - [x] Server uses HTTP/1.1 or more and keep connection with clients ## TLS (server certificate) In this MR we also change apache to use a caucase managed certificate and add test coverage for: - [x] balancer listen on https with a certificate that can be verified using the CA from caucase. - [x] balancer uses the new certificate when its own certificate is renewed. But we don't add support for: - ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this. ## TLS (client certificate) - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section ) - [x] if frontend provided a verified certificate, balancer set `remote-user` header - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` ) - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity. ## "Forwarded-For" header This was also covered by existing tests: - [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified - [x] balancer strips existing `X-Forwarded-For` ## Integration with the rest of ERP5 software release This was also covered by existing tests: - [x] The https URL of each Zope family is published and replies properly - [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests. See merge request nexedi/slapos!840
Showing
This diff is collapsed.