Skip to content
This repository was archived by the owner on Nov 14, 2022. It is now read-only.

Latest commit

 

History

History
149 lines (137 loc) · 9.07 KB

TODO.md

File metadata and controls

149 lines (137 loc) · 9.07 KB

  • [~] publish test status

    • configure surefire-report-plugin to generate report
      • Configure a single aggregated report for all submodules
        • https://stackoverflow.com/questions/21585037/maven-reporting-and-site-generation-for-multiple-module-project mentions need to have separate aggregator and parent pom
          • configure separate parent and aggregator
          [ERROR]   The project com.orange.cloud.servicebroker:service-broker-filter-core:2.4.0.BUILD-SNAPSHOT (/home/guillaume/code/sec-group-broker-filter/service-broker-filter-core/pom.xml) has 1 error
[ERROR]     Non-resolvable parent POM for com.orange.cloud.servicebroker:service-broker-filter-core:2.4.0.BUILD-SNAPSHOT: Could not find artifact com.orange.cloud.servicebroker:service-broker-filter-parent:pom:2.4.0.BUILD-SNAPSHOT and 'parent.relativePath' points at wrong local POM @ line 20, column 13 -> [Help 2]
          • => squashed and suspended for now.
      • Copy each report individually with a unique name
    • review list of tests
    • add an href into a badge on README

  • fix prometheus exporter endpoint

  • manually test behavior during binding/unbinding

  • polish & merge

    • rebase/squash
    • review logs and adjust default log levels

  • release

* Support cf create-service-key command #97
* openjdk 8 252 okHttp compatibility bug #197
* sec-group-broker-filter is embedding vulnerable tomcat version in its jars #52
* sec-group broker filter needs version bumps to be compatible with java buildpack 4.32.1 #198

  • bump version in paas-templates

    • redis
    • other sec-groups
      • [x ] check this is no dependent on newly introduced properties. Diff manifest file
      • revert workaround (jdk8 pinning) in manifest
      • manually check status
        • delete space prometheus-probe
        An unbind operation for the service binding between app probe-internet-apps-domains and service instance ha-internet failed: The service broker rejected the request. Status Code: 404 Not Found, Body: 404 Not Found: Requested route ('internet-sec-group-broker-filter.redacted-domain.org') does not exist.

o-intranet-proxy-access                                    https://intranet-proxy-sec-group-broker-filter.redacted-domain.org
o-internet-ha-access                                       https://internet-sec-group-broker-filter.redacted-domain.org
                                                                  internet-sec-group-broker-filter.redacted-domain.org

  • refine smoke test assertions

    • benefits: allow future maintenance by merging dependabot pr in a "bump" branch, and watch status in concourse pipeline, possibly automated at some time.

    • sec-group specific assertions

      • direct: ASG being created and removed
        • after service key, through assert_create_service_key "${SERVICE_INSTANCE}" "mykey"
          • save the service key in a variable or local file
             {
    "host": "192.168.30.190",
    "password": "0009105c-bd6b-441c-975b-7e85f844abe3",
    "port": 37903
   }
        • after service binding: new hook assert_create_service_binding "${SERVICE_INSTANCE}" "mybinding"
          • lookup service binding id from binding name
          • save binding id (in env var)
          • display security group with same id
          • verify security group matches service key
          $ cf security-group 345cfd50-6c0a-4323-ac34-ffe5d7117ab5
Getting info for security group 345cfd50-6c0a-4323-ac34-ffe5d7117ab5 as gberche...
OK
        
Name    345cfd50-6c0a-4323-ac34-ffe5d7117ab5
Rules
  [
      {
          "description": "generated by sec group filter broker for service binding 345cfd50-6c0a-4323-ac34-ffe5d7117ab5 to allow access to service instance gberche created from service broker p-redis.",
          "destination": "192.168.30.190",
          "ports": "39705",
          "protocol": "tcp"
      }
  ]

     Organization      Space
#0   service-sandbox   sec-group-cf-redis
        • after unbinding: new hook assert_delete_service_binding "${SERVICE_INSTANCE}" "mybinding"
          • verify no security group named after binding id
      • indirect: closed ASG in the smoke test space
        • Pb: running-security-groups already include services ASG which opens all ports to all services
        cf security-group services
Getting info for security group services as gberche...
OK
       
Name    services
Rules
 [
 	{
 		"description": "any TCP to NET_CF_SERVICES",
 		"destination": "192.168.30.0/24",
 		"ports": "1-65000",
 		"protocol": "tcp"
 	},
 	{
 		"description": "any TCP to NET_CF_SERVICES_2",
 		"destination": "192.168.31.0/24",
 		"ports": "1-65000",
 		"protocol": "tcp"
 	}
 ]

    Organization      Space
#0   service-sandbox   mongodb-smoke-tests
#1   service-sandbox   cassandra-smoke-tests
        • How to assert that requests are rejected before the sec-group-broker-filters opens them ?
          • first bind the probe app to a redis instance not faced by sec-group-broker-filter
            • requires redis broker to be registered directly, at least in the smoke test space
              • set up terraform to
                • create smoke test space
                • register redis broker with name "direct-p-redis-broker"
              • modify smoke test to
                • cf create-service instance redis -b direct-p-redis-broker + cf bs
                • assert timeout or connection rejected from probe
                • cf unbind-service + cf delete-service -f redis
                • then proceed with existing probe asserts

    • actuator endpoint permissions

      • actuator/health is always reacheable without auth
      • actuator/ is always returning 401 without auth

  • investigate the following warning:

       2020-09-01T11:22:10.43+0200 [APP/PROC/WEB/1] OUT 2020-09-01 09:22:10.429  INFO 12 --- [-client-epoll-1] cloudfoundry-client.compatibility        : Client supports API version 2.145.0 and is connected to server with API version 2.152.0. Things may not work as expected.
   2020-09-01T11:22:10.66+0200 [APP/PROC/WEB/0] OUT 2020-09-01 09:22:10.666  INFO 6 --- [-client-epoll-1] cloudfoundry-client.compatibility        : Client supports API version 2.145.0 and is connected to server with API version 2.152.0. Things may not work as expected.
   2020-09-01T11:22:10.78+0200 [APP/PROC/WEB/1] OUT 2020-09-01 09:22:10.782  INFO 12 --- [           main] c.o.c.s.f.s.BrokerFilterApplication      : Started BrokerFilterApplication in 4.317 seconds (JVM running for 5.062)
   2020-09-01T11:22:10.89+0200 [APP/PROC/WEB/0] OUT 2020-09-01 09:22:10.892  INFO 6 --- [           main] c.o.c.s.f.s.BrokerFilterApplication      : Started BrokerFilterApplication in 4.322 seconds (JVM running for 5.09)
   2020-09-01T11:22:11.26+0200 [APP/PROC/WEB/1] OUT Exit status 0
   2020-09-01T11:22:11.26+0200 [CELL/SSHD/1] OUT Exit status 0
   2020-09-01T11:22:11.37+0200 [APP/PROC/WEB/0] OUT Exit status 0
   2020-09-01T11:22:11.37+0200 [CELL/SSHD/0] OUT Exit status 0
   2020-09-01T11:22:16.63+0200 [CELL/0] OUT Cell 52fb3406-81d7-4ef2-a68f-ea5ff7cf7f3f stopping instance 596801c5-88f8-4419-656d-f953
   2020-09-01T11:22:16.63+0200 [CELL/0] OUT Cell 52fb3406-81d7-4ef2-a68f-ea5ff7cf7f3f destroying container for instance 596801c5-88f8-4419-656d-f953
   2020-09-01T11:22:16.64+0200 [CELL/1] OUT Cell 76c68bea-605d-42e6-958e-3372371d822b stopping instance b48274e4-d2b7-4339-57a4-3956
   2020-09-01T11:22:16.64+0200 [CELL/1] OUT Cell 76c68bea-605d-42e6-958e-3372371d822b destroying container for instance b48274e4-d2b7-4339-57a4-3956
   ```

  • release