• Jérome Perrin's avatar
    ERP5: Test balancer partition and use caucase certificate for balancer · af7a0208
    Jérome Perrin authored
    Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now.
     
    Use [managed resources](nexedi/slapos.core!259) to simplify existing tests and introduce tests for:
    
    ## Access Log
    
     - [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests.
     - [x] these logs should be rotated daily
     - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily.
    
    ## Balancing
    
     - [x] requests are balanced to multiple backends using round-robin algorithm
     - [x] if backend is down it is excluded
     - [x] a "sticky cookie" is used so that clients are associated to the same backend
        - [x] the cookie is set by balancer
        - [x] when client comes with a cookie it "sticks" on the associated backend
        - [x] if "sticked" backend is down, another backend will be used
    
    ## Content-Encoding
    
     - [x] balancer encodes responses in gzip for some configured content types.
    
    ## HTTP
    
     - [x] Server uses HTTP/1.1 or more and keep connection with clients
    
    ## TLS (server certificate)
    
    In this MR we also change apache to use a caucase managed certificate and add test coverage for:
    
     - [x] balancer listen on https with a certificate that can be verified using the CA from caucase.
     - [x] balancer uses the new certificate when its own certificate is renewed.
    
    But we don't add support for:
     -  ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this.
    
    ## TLS (client certificate)
     - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section )
     - [x] if frontend provided a verified certificate, balancer set `remote-user` header
     - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` )
     - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity.
    
    ## "Forwarded-For" header
    
    This was also covered by existing tests:  
    
     - [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified
     - [x] balancer strips existing `X-Forwarded-For`
    
    ## Integration with the rest of ERP5 software release
    
    This was also covered by existing tests:  
    
    - [x] The https URL of each Zope family is published and replies properly
    - [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests.
    
    See merge request nexedi/slapos!840
    af7a0208
software.cfg 8.29 KB