Skip to content

GitLab

Projects
Groups
Snippets
Help

Loading...
Help
Sign in / Register

Project overview
Repository
Labels
- Labels
Merge requests 122
- Merge requests 122
CI/CD
Operations
Analytics
Snippets
- Snippets
Members
- Members
Activity
Graph
Jobs
Commits

Collapse sidebar

nexedi
slapos
Merge requests
!840

Merged

Created Oct 19, 2020 by Jérome Perrin @jeromeOwner20 of 20 tasks completed20/20 tasks

ERP5: Test balancer partition and use caucase certificate for balancer

Overview 14
Commits 10
Pipelines 2
Changes 7

Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.

Use managed resources to simplify existing tests and introduce tests for:

Access Log

balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
these logs should be rotated daily
an apachedex report is ran on these logs daily.

Balancing

requests are balanced to multiple backends using round-robin algorithm
if backend is down it is excluded
a "sticky cookie" is used so that clients are associated to the same backend
- the cookie is set by balancer
- when client comes with a cookie it "sticks" on the associated backend
- if "sticked" backend is down, another backend will be used

Content-Encoding

balancer encodes responses in gzip for some configured content types.

HTTP

Server uses HTTP/1.1 or more and keep connection with clients

TLS (server certificate)

In this MR we also change apache to use a caucase managed certificate and add test coverage for:

balancer listen on https with a certificate that can be verified using the CA from caucase.
balancer uses the new certificate when its own certificate is renewed.

But we don't add support for:

~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code here)~~ this use case is the job of caucase, so we no longer support this.

TLS (client certificate)

balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
if frontend provided a verified certificate, balancer set remote-user header
balancer updates CRL from caucases ( caucase-updater-housekeeper )
(NOT TESTED) balancer updates CA certificate from caucase ( caucase-updater-housekeeper ). Since this is would be complex to test and basic functionality of caucase-updater-housekeeper for frontend caucases is covered by CRL test, we don't test this for simplicity.

"Forwarded-For" header

This was also covered by existing tests:

balancer set X-Forwarded-For header when frontend certificate can be verified
balancer strips existing X-Forwarded-For

Integration with the rest of ERP5 software release

This was also covered by existing tests:

The https URL of each Zope family is published and replies properly
Some https URLs are generated for runUnitTest, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.

Edited Oct 23, 2020 by Jérome Perrin

Assignee

Assign to

Reviewer

Request review from

None

Milestone

None

Assign milestone

Time tracking

Source branch: feat/erp5_balancer_test

GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7