1. 04 Nov, 2020 1 commit
    • Jérome Perrin's avatar
      ERP5: Test balancer partition and use caucase certificate for balancer · af7a0208
      Jérome Perrin authored
      Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.
       
      Use [managed resources](slapos.core!259) to simplify existing tests and introduce tests for:
      
      ## Access Log
      
       - [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
       - [x] these logs should be rotated daily
       - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily.
      
      ## Balancing
      
       - [x] requests are balanced to multiple backends using round-robin algorithm
       - [x] if backend is down it is excluded
       - [x] a "sticky cookie" is used so that clients are associated to the same backend
          - [x] the cookie is set by balancer
          - [x] when client comes with a cookie it "sticks" on the associated backend
          - [x] if "sticked" backend is down, another backend will be used
      
      ## Content-Encoding
      
       - [x] balancer encodes responses in gzip for some configured content types.
      
      ## HTTP
      
       - [x] Server uses HTTP/1.1 or more and keep connection with clients
      
      ## TLS (server certificate)
      
      In this MR we also change apache to use a caucase managed certificate and add test coverage for:
      
       - [x] balancer listen on https with a certificate that can be verified using the CA from caucase.
       - [x] balancer uses the new certificate when its own certificate is renewed.
      
      But we don't add support for:
       -  ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this.
      
      ## TLS (client certificate)
       - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
       - [x] if frontend provided a verified certificate, balancer set `remote-user` header
       - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` )
       - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity.
      
      ## "Forwarded-For" header
      
      This was also covered by existing tests:  
      
       - [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified
       - [x] balancer strips existing `X-Forwarded-For`
      
      ## Integration with the rest of ERP5 software release
      
      This was also covered by existing tests:  
      
      - [x] The https URL of each Zope family is published and replies properly
      - [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.
      
      See merge request !840
      af7a0208
  2. 02 Nov, 2020 4 commits
  3. 30 Oct, 2020 1 commit
  4. 29 Oct, 2020 5 commits
  5. 28 Oct, 2020 3 commits
  6. 27 Oct, 2020 12 commits
  7. 26 Oct, 2020 4 commits
  8. 23 Oct, 2020 10 commits