Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
slapos slapos
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Labels
    • Labels
  • Merge requests 122
    • Merge requests 122
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Jobs
  • Commits
Collapse sidebar
  • nexedi
  • slaposslapos
  • Merge requests
  • !840

Merged
Created Oct 19, 2020 by Jérome Perrin@jeromeOwner20 of 20 tasks completed20/20 tasks

ERP5: Test balancer partition and use caucase certificate for balancer

  • Overview 14
  • Commits 10
  • Pipelines 2
  • Changes 7

Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.

Use managed resources to simplify existing tests and introduce tests for:

Access Log

  • balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
  • these logs should be rotated daily
  • an apachedex report is ran on these logs daily.

Balancing

  • requests are balanced to multiple backends using round-robin algorithm
  • if backend is down it is excluded
  • a "sticky cookie" is used so that clients are associated to the same backend
    • the cookie is set by balancer
    • when client comes with a cookie it "sticks" on the associated backend
    • if "sticked" backend is down, another backend will be used

Content-Encoding

  • balancer encodes responses in gzip for some configured content types.

HTTP

  • Server uses HTTP/1.1 or more and keep connection with clients

TLS (server certificate)

In this MR we also change apache to use a caucase managed certificate and add test coverage for:

  • balancer listen on https with a certificate that can be verified using the CA from caucase.
  • balancer uses the new certificate when its own certificate is renewed.

But we don't add support for:

  • balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code here) this use case is the job of caucase, so we no longer support this.

TLS (client certificate)

  • balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
  • if frontend provided a verified certificate, balancer set remote-user header
  • balancer updates CRL from caucases ( caucase-updater-housekeeper )
  • (NOT TESTED) balancer updates CA certificate from caucase ( caucase-updater-housekeeper ). Since this is would be complex to test and basic functionality of caucase-updater-housekeeper for frontend caucases is covered by CRL test, we don't test this for simplicity.

"Forwarded-For" header

This was also covered by existing tests:

  • balancer set X-Forwarded-For header when frontend certificate can be verified
  • balancer strips existing X-Forwarded-For

Integration with the rest of ERP5 software release

This was also covered by existing tests:

  • The https URL of each Zope family is published and replies properly
  • Some https URLs are generated for runUnitTest, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.
Edited Oct 23, 2020 by Jérome Perrin
Assignee
Assign to
Reviewer
Request review from
None
Milestone
None
Assign milestone
Time tracking
Source branch: feat/erp5_balancer_test
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7