Hello Joseph, the tests won't be able to download anything from Github, as outgoing traffic is not allowed by default.
It can be allowed by adding a destination rule for GitHub to the egress gateway: https://github.com/gpii-ops/gpii-infra/blob/a28ecf06b1f114d3ca351ae050720fb70ec64db7/shared/charts/istio-gke-helper/values.yaml#L21-L24 I think preferably this would be done for dev/stg environments only, so some simple logic might be needed. If you open a PR with the update against gpii-infra, I'm happy to add the code required to allow this traffic for the tests. Note on code signing: git (& GitHub) supports code signing using GPG - https://help.github.com/en/github/authenticating-to-github/signing-commits. Cheers, Stepan On Tue, Apr 21, 2020 at 12:54 AM Gregg Vanderheiden RTF < [email protected]> wrote: > Great > Thanks > > *gregg* > > ——————————— > Professor, University of Maryland, College Park > Director , Trace R&D Center, UMD > Co-Founder Raising the Floor. http://raisingthefloor.org > And the Global Public Inclusive Infrastructure (GPII) http://GPII.net > > > > > On Apr 20, 2020, at 5:24 PM, Steve Grundell <[email protected]> > wrote: > > Well, thanks to TLS they're effectively already signed, by Github, to > prove that only those with commit rights have produced it, and the commit > hash in the url means it will only point to that specific version. > > > Ste gr > > On Mon, Apr 20, 2020 at 9:40 PM Christopher Walker < > [email protected]> wrote: > >> Can we digitally sign the solutions registry files so that the client can >> verify they was created by us? >> >> Christopher >> >> On Mon, Apr 20, 2020 at 16:37 Gregg Vanderheiden RTF < >> [email protected]> wrote: >> >>> Is Github secure enough that we want production code to be downloading >>> from there? >>> >>> I guess if the URL for downloading is in the siteconfig - we can easily >>> move it later. >>> >>> *gregg* >>> >>> ——————————— >>> Professor, University of Maryland, College Park >>> Director , Trace R&D Center, UMD >>> Co-Founder Raising the Floor. http://raisingthefloor.org >>> And the Global Public Inclusive Infrastructure (GPII) http://GPII.net >>> <http://gpii.net/> >>> >>> >>> >>> >>> On Apr 20, 2020, at 2:09 PM, Joseph Scheuhammer <[email protected]> >>> wrote: >>> >>> All, but mostly Stepan, Alfredo, and Sergey (dev-ops), >>> >>> The goal of GPII-4273[i] is to provide a means by which the Morphic >>> client can fetch its platform's latest solutions registry from github. >>> In this case "latest" is defined by the version of gpii-universal >>> running in the cloud. >>> >>> I've modified the solutions registry datasource (SRDS) subcomponent of >>> the local flow manager (LFM) to construct an url to github for the >>> appropriate solutions registry and make a GET request to download it. >>> An example of such an url is, assuming Morphic is running on Windows: >>> >>> https://raw.githubusercontent.com/GPII/universal/bd992f03313acd9a35b81f00fc63922540292255/testData/solutions/win32.json5 >>> >>> I have modified the production tests to test the new LFM and its SRDS. >>> The production tests involve running docker containers built from an >>> image of gpii-universal that provide the main components of the GPII >>> cloud. >>> >>> The production tests also run in GCP in dev and stg. Here a >>> "productiontests" container is run in which the production tests are >>> executed as a one-shot job. >>> >>> Given that background: will the security within GCP allow the LFM/SRDS >>> within the productiontests container to make the outgoing GET request to >>> github? I suspect not, but I will test with my dev cluster. >>> >>> i. https://issues.gpii.net/browse/GPII-4273 >>> >>> -- >>> ;;;;joseph. >>> >>> 'The only reason for time is so that everything doesn't happen all at >>> once.' >>> - B. Banzai - >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://lists.gpii.net/mailman/listinfo/architecture >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://lists.gpii.net/mailman/listinfo/architecture >>> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://lists.gpii.net/mailman/listinfo/architecture >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://lists.gpii.net/mailman/listinfo/architecture >
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
