1. 11 Nov, 2020 1 commit
  2. 10 Nov, 2020 6 commits
    • Jérome Perrin's avatar
      stack/erp5: stop using caucase managed certificate for balancer · 620c9332
      Jérome Perrin authored
      Revert "software/erp5: use a caucase managed certificate for balancer"
      
      This reverts commit 74d18b9d and also follow
      up fixup ( 555b26a2 ).
      
      We are not ready to use caucase here, there are still too many problems with
      caucase (keys are lost at each SR update etc) and design might still evolve,
      so let's go back to self signed certificate for now.
      
      Also remove the promise and the updater, since they are also not working and
      causing problems on instances that have been updated (and where the key no
      longer match the certificate)
      620c9332
    • Jérome Perrin's avatar
      fixup! software/erp5: use a caucase managed certificate for balancer · 555b26a2
      Jérome Perrin authored
      fix balancer CSR generation:
      
      Caucase rerequest uses a CSR *template* and use it to generate
      a new CSR with a new key, so we should not use the actual key to
      generate this CSR, because it is caucase rerequest job to generate
      the key.
      Also, we should be careful not to generate a new CSR every time this
      command run, otherwise a new key will be generated and a new CSR will
      be sent to caucase, but caucase will not sign it automatically (since
      we configure it to sign only one certificate).
      
      This means that the case of IP address changes is currently not
      supported automatically. To support it we would need to:
        - force generation of a new CSR template
        - force caucase rerequester to request a new certificate (by removing
        existing certificate)
        - force caucased to sign the new certificate
      
      This commit also fix indentation and remove simplefile macro that is no longer used
      555b26a2
    • Łukasz Nowak's avatar
      Feature Caddy Frontend Haproxy Active Check · fb49ccdb
      Łukasz Nowak authored
      See merge request !837
      fb49ccdb
    • Łukasz Nowak's avatar
      7f2e592d
    • Łukasz Nowak's avatar
      caddy-frontend: Allow to have simple backend · f1351dcb
      Łukasz Nowak authored
      Just running test.py with ip and port allows to expose the internal testing
      backend. IPv4 and IPv6 are supported.
      f1351dcb
    • Łukasz Nowak's avatar
      caddy-frontend: Fix software type usage · cc4d556b
      Łukasz Nowak authored
      By default there is no sense to play with software type, since it's fixed in
      slapos.testing.testcase.
      cc4d556b
  3. 09 Nov, 2020 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Dodge lowercasing in profile generation · 3d747c95
      Łukasz Nowak authored
      slapos.cookbook:softwaretype tends to lowercase keys in each section, which
      has been undetected due to using lowercase references of slaves in the tests.
      
      By restructuring information in the sections, and putting slave references
      inside of dumped part of information, now the slave reference case is kept.
      
      Also real care was taken to stabilise published lists by sorting them, as it
      also slipped, that they could be unstable.
      
      Tests has been updated to catch this issue, also other tests were fixed, as
      they had wrong assertions.
      3d747c95
  4. 06 Nov, 2020 2 commits
  5. 05 Nov, 2020 1 commit
  6. 04 Nov, 2020 4 commits
    • Łukasz Nowak's avatar
      software/kvm: Fix textarea definition · 4d27608d
      Łukasz Nowak authored
      4d27608d
    • Łukasz Nowak's avatar
      Revert "software/kvm: Allow many CD-ROMs to boot from" · a3eb121e
      Łukasz Nowak authored
      This reverts commit cc1713c3.
      
      Unfortunately a lot of installation OS ISOs (like Debian 9 and 10) do not
      support such device during installation process, because of missing drivers
      on the OS CD.
      
      Also note the ISOs limitation in the advanced field.
      a3eb121e
    • Vincent Pelletier's avatar
      stack/erp5: Make bt5 default value a string at the last step. · 3c2ce500
      Vincent Pelletier authored
      Make the value and its changes easier to read.
      3c2ce500
    • Jérome Perrin's avatar
      ERP5: Test balancer partition and use caucase certificate for balancer · af7a0208
      Jérome Perrin authored
      Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.
       
      Use [managed resources](slapos.core!259) to simplify existing tests and introduce tests for:
      
      ## Access Log
      
       - [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
       - [x] these logs should be rotated daily
       - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily.
      
      ## Balancing
      
       - [x] requests are balanced to multiple backends using round-robin algorithm
       - [x] if backend is down it is excluded
       - [x] a "sticky cookie" is used so that clients are associated to the same backend
          - [x] the cookie is set by balancer
          - [x] when client comes with a cookie it "sticks" on the associated backend
          - [x] if "sticked" backend is down, another backend will be used
      
      ## Content-Encoding
      
       - [x] balancer encodes responses in gzip for some configured content types.
      
      ## HTTP
      
       - [x] Server uses HTTP/1.1 or more and keep connection with clients
      
      ## TLS (server certificate)
      
      In this MR we also change apache to use a caucase managed certificate and add test coverage for:
      
       - [x] balancer listen on https with a certificate that can be verified using the CA from caucase.
       - [x] balancer uses the new certificate when its own certificate is renewed.
      
      But we don't add support for:
       -  ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this.
      
      ## TLS (client certificate)
       - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
       - [x] if frontend provided a verified certificate, balancer set `remote-user` header
       - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` )
       - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity.
      
      ## "Forwarded-For" header
      
      This was also covered by existing tests:  
      
       - [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified
       - [x] balancer strips existing `X-Forwarded-For`
      
      ## Integration with the rest of ERP5 software release
      
      This was also covered by existing tests:  
      
      - [x] The https URL of each Zope family is published and replies properly
      - [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.
      
      See merge request !840
      af7a0208
  7. 02 Nov, 2020 4 commits
  8. 30 Oct, 2020 2 commits
  9. 29 Oct, 2020 5 commits
  10. 28 Oct, 2020 3 commits
  11. 27 Oct, 2020 11 commits