Route termination options follow public url scheme #265
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hallelujah
changed the title
hallelujah
force-pushed
the
THREESCALE-3545
branch
4 times, most recently
from
c612486
to
e370fd0
Compare
hallelujah
changed the title
hallelujah
force-pushed
the
THREESCALE-3545
branch
from
e370fd0
to
1d2ba76
Compare
guicassolato
reviewed
Nov 5, 2019
| to: { | ||
| kind: 'Service', | ||
| name: service | ||
| } | ||
| }) | ||
| }.merge(tls: tls_options)) |
There was a problem hiding this comment.
Is it OK to merge tls: nil if uri.class != URI::HTTPS?
There was a problem hiding this comment.
Yes that is what k8s expect, there is a test for it
Anyway this PR is in conflict with the KUBERNETES_ROUTE_TLS env
I will think of a way to make it compatible later
EDIT: Actually you are right:
There might be other secure protocol that could be used but not supported right now. AFAIK we only accept HTTP and HTTPS
guicassolato
approved these changes
Nov 5, 2019
hallelujah
changed the title
hallelujah
changed the title
If public route was created with `http:` scheme, do not enforce secure route edge redirect Fixes THREESCALE-3545
Fixing:
Error: Database is uninitialized and superuser password is not specified.
You must specify POSTGRES_PASSWORD to a non-empty value for the
superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
connections without a password. This is *not* recommended.
See PostgreSQL documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
hallelujah
force-pushed
the
THREESCALE-3545
branch
from
c8385a2
to
cfff38f
Compare
This happens because we create a transaction, make a query then set transaction isolation level:
BEGIN
INSERT INTO ....
SET TRANSACTION ISOLATION LEVEL
To avoid that, isolate transaction aware tests into its own class
1) Error:
Prometheus::QueStatsTest#test_readonly_transaction:
ActiveRecord::StatementInvalid: PG::ActiveSqlTransaction: ERROR: SET TRANSACTION ISOLATION LEVEL must be called before any query
: SET TRANSACTION ISOLATION LEVEL SERIALIZABLE READ ONLY DEFERRABLE
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `exec'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:75:in `block (2 levels) in execute'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:48:in `block in permit_concurrent_loads'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activesupport-5.2.3/lib/active_support/concurrency/share_lock.rb:187:in `yield_shares'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activesupport-5.2.3/lib/active_support/dependencies/interlock.rb:47:in `permit_concurrent_loads'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:74:in `block in execute'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:581:in `block (2 levels) in log'
/usr/local/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:580:in `block in log'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activesupport-5.2.3/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract_adapter.rb:571:in `log'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/postgresql/database_statements.rb:73:in `execute'
/home/circleci/zync/lib/prometheus/que_stats.rb:41:in `block in execute'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract/database_statements.rb:267:in `block in transaction'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract/transaction.rb:239:in `block in within_new_transaction'
/usr/local/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract/transaction.rb:236:in `within_new_transaction'
/home/circleci/zync/vendor/bundle/ruby/2.4.0/gems/activerecord-5.2.3/lib/active_record/connection_adapters/abstract/database_statements.rb:267:in `transaction'
/home/circleci/zync/lib/prometheus/que_stats.rb:39:in `execute'
/home/circleci/zync/lib/prometheus/que_stats.rb:15:in `worker_stats'
/home/circleci/zync/test/lib/prometheus/que_stats_test.rb:28:in `test_readonly_transaction'
guicassolato
approved these changes
Mar 27, 2020
|
I need them to make it pass tests, and really opening 2 other PR is not going to happen :D |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If public route was created with
http:scheme, do not enforce secure route edge redirectFixes THREESCALE-3545
TODO
Issues/Questions
The following does not prevent the merge of this PR but we should take into account that when the environment variable
KUBERNETES_ROUTE_TLSis set to1,tortruethen it will prevent creatingnon secure routes, which might be an issue as Porta has something different from OpenShift
This prevents removing the
:tlsoptionzync/app/services/integration/kubernetes_service.rb
Lines 6 to 7 in 726962b
It is used in
zync/app/services/integration/kubernetes_service.rb
Lines 263 to 271 in 726962b
But the integration service builds all routes for both staging and production endpoint, so disabling the
maintain_tls_specfor the integration service is not possible because for example, staging route can be HTTP and production route can be HTTPSzync/app/services/integration/kubernetes_service.rb
Lines 153 to 158 in 726962b
Openshift testing
Using this Build config
Screenshots
Caveats
Due to OpenShift router limitation, the HTTP and HTTPS ports are automatically set by OpenShift
If you use different ports than
ROUTER_SERVICE_HTTP_PORTandROUTER_SERVICE_HTTPS_PORT, they are not taken into account