ERP5: Test balancer partition and use caucase certificate for balancer (!840) · Merge Requests · nexedi / slapos · GitLab

Skip to content

Projects
Groups
Snippets
Help

Loading...
Sign in / Register

Project overview
Repository
Labels
Merge Requests 105
- Merge Requests 105
CI / CD
Analytics
Snippets
- Snippets
Members
- Members

Collapse sidebar

Activity
Graph
Jobs
Commits

nexedi
slapos
Merge Requests
!840

Merged

Opened Oct 19, 2020 by Jérome Perrin @jerome20 of 20 tasks completed20/20 tasks

Report abuse

ERP5: Test balancer partition and use caucase certificate for balancer

Overview 14
Commits 10
Pipelines 2
Changes 7

Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.

Use managed resources to simplify existing tests and introduce tests for:

Access Log

balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
these logs should be rotated daily
an apachedex report is ran on these logs daily.

Balancing

requests are balanced to multiple backends using round-robin algorithm
if backend is down it is excluded
a "sticky cookie" is used so that clients are associated to the same backend
- the cookie is set by balancer
- when client comes with a cookie it "sticks" on the associated backend
- if "sticked" backend is down, another backend will be used

Content-Encoding

balancer encodes responses in gzip for some configured content types.

HTTP

Server uses HTTP/1.1 or more and keep connection with clients

TLS (server certificate)

In this MR we also change apache to use a caucase managed certificate and add test coverage for:

balancer listen on https with a certificate that can be verified using the CA from caucase.
balancer uses the new certificate when its own certificate is renewed.

But we don't add support for:

~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code here)~~ this use case is the job of caucase, so we no longer support this.

TLS (client certificate)

balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
if frontend provided a verified certificate, balancer set remote-user header
balancer updates CRL from caucases ( caucase-updater-housekeeper )
(NOT TESTED) balancer updates CA certificate from caucase ( caucase-updater-housekeeper ). Since this is would be complex to test and basic functionality of caucase-updater-housekeeper for frontend caucases is covered by CRL test, we don't test this for simplicity.

"Forwarded-For" header

This was also covered by existing tests:

balancer set X-Forwarded-For header when frontend certificate can be verified
balancer strips existing X-Forwarded-For

Integration with the rest of ERP5 software release

This was also covered by existing tests:

The https URL of each Zope family is published and replies properly
Some https URLs are generated for runUnitTest, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.

Revert f8f72a17e ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.
 
Use [managed resources](https://lab.nexedi.com/nexedi/slapos.core/merge_requests/259) to simplify existing tests and introduce tests for:

## Access Log

- [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
 - [x] these logs should be rotated daily
 - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily.

## Balancing

- [x] requests are balanced to multiple backends using round-robin algorithm
 - [x] if backend is down it is excluded
 - [x] a "sticky cookie" is used so that clients are associated to the same backend
    - [x] the cookie is set by balancer
    - [x] when client comes with a cookie it "sticks" on the associated backend
    - [x] if "sticked" backend is down, another backend will be used

## Content-Encoding

- [x] balancer encodes responses in gzip for some configured content types.

## HTTP

- [x] Server uses HTTP/1.1 or more and keep connection with clients

## TLS (server certificate)

In this MR we also change apache to use a caucase managed certificate and add test coverage for:

- [x] balancer listen on https with a certificate that can be verified using the CA from caucase.
 - [x] balancer uses the new certificate when its own certificate is renewed.

But we don't add support for:
 -  ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this.

## TLS (client certificate)
 - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
 - [x] if frontend provided a verified certificate, balancer set `remote-user` header
 - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` )
 - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity.

## "Forwarded-For" header

This was also covered by existing tests:

- [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified
 - [x] balancer strips existing `X-Forwarded-For`

## Integration with the rest of ERP5 software release

This was also covered by existing tests:

- [x] The https URL of each Zope family is published and replies properly
- [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.

Edited Oct 23, 2020 by Jérome Perrin

Assignee

Assign to

None

Milestone

None

Assign milestone

Time tracking

0

Labels

None

Assign labels

View project labels

Reference: nexedi/slapos!840

Revert this merge request

This will create a new commit in order to revert the existing changes.

Revert in branch

Switch branch

A new branch will be created in your fork and a new merge request will be started.

Cherry-pick this merge request

Pick into branch

Switch branch

A new branch will be created in your fork and a new merge request will be started.

GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7