Hi Stepan, Thanks for the suggestions.
Regarding running these tests in dev/stg: these new tests are to be added to the the existing production tests that already run only in dev and stg. So, no change is needed in that regard. As for a PR against gpii-infra -- it is under development. I am waiting for my PRs for GPII-4273 to be merged with universal master, and then proceed to the usual deploy-to-GCP process. In the meantime I'll start working on a branch of gpii-infra for the PR there. On 2020-04-21 5:16 a.m., Stepan Stipl wrote: > Hello Joseph, > the tests won't be able to download anything from Github, as outgoing > traffic is not allowed by default. > > It can be allowed by adding a destination rule for GitHub to the > egress gateway: > https://github.com/gpii-ops/gpii-infra/blob/a28ecf06b1f114d3ca351ae050720fb70ec64db7/shared/charts/istio-gke-helper/values.yaml#L21-L24 > > I think preferably this would be done for dev/stg environments only, > so some simple logic might be needed. > > If you open a PR with the update against gpii-infra, I'm happy to add > the code required to allow this traffic for the tests. > > Note on code signing: git (& GitHub) supports code signing using GPG > - https://help.github.com/en/github/authenticating-to-github/signing-commits. > > Cheers, > Stepan > > On Tue, Apr 21, 2020 at 12:54 AM Gregg Vanderheiden RTF > <[email protected] <mailto:[email protected]>> wrote: > > Great > Thanks > > /gregg/ > > ——————————— > Professor, University of Maryland, College Park > Director , Trace R&D Center, UMD > Co-Founder Raising the Floor. http://raisingthefloor.org > And the Global Public Inclusive Infrastructure (GPII) http://GPII.net > > > > >> On Apr 20, 2020, at 5:24 PM, Steve Grundell >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Well, thanks to TLS they're effectively already signed, by >> Github, to prove that only those with commit rights have produced >> it, and the commit hash in the url means it will only point to >> that specific version. >> >> >> Ste gr >> >> On Mon, Apr 20, 2020 at 9:40 PM Christopher Walker >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Can we digitally sign the solutions registry files so that >> the client can verify they was created by us? >> >> Christopher >> >> On Mon, Apr 20, 2020 at 16:37 Gregg Vanderheiden RTF >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Is Github secure enough that we want production code to >> be downloading from there? >> >> I guess if the URL for downloading is in the siteconfig - >> we can easily move it later. >> >> /gregg/ >> >> ——————————— >> Professor, University of Maryland, College Park >> Director , Trace R&D Center, UMD >> Co-Founder Raising the Floor. http://raisingthefloor.org >> <http://raisingthefloor.org/> >> And the Global Public Inclusive Infrastructure (GPII) >> http://GPII.net <http://gpii.net/> >> >> >> >> >>> On Apr 20, 2020, at 2:09 PM, Joseph Scheuhammer >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> All, but mostly Stepan, Alfredo, and Sergey (dev-ops), >>> >>> The goal of GPII-4273[i] is to provide a means by which >>> the Morphic >>> client can fetch its platform's latest solutions >>> registry from github. >>> In this case "latest" is defined by the version of >>> gpii-universal >>> running in the cloud. >>> >>> I've modified the solutions registry datasource (SRDS) >>> subcomponent of >>> the local flow manager (LFM) to construct an url to >>> github for the >>> appropriate solutions registry and make a GET request to >>> download it. >>> An example of such an url is, assuming Morphic is >>> running on Windows: >>> >>> https://raw.githubusercontent.com/GPII/universal/bd992f03313acd9a35b81f00fc63922540292255/testData/solutions/win32.json5 >>> >>> I have modified the production tests to test the new LFM >>> and its SRDS. >>> The production tests involve running docker containers >>> built from an >>> image of gpii-universal that provide the main components >>> of the GPII cloud. >>> >>> The production tests also run in GCP in dev and stg. Here a >>> "productiontests" container is run in which the >>> production tests are >>> executed as a one-shot job. >>> >>> Given that background: will the security within GCP >>> allow the LFM/SRDS >>> within the productiontests container to make the >>> outgoing GET request to >>> github? I suspect not, but I will test with my dev cluster. >>> >>> i. https://issues.gpii.net/browse/GPII-4273 >>> >>> -- >>> ;;;;joseph. >>> >>> 'The only reason for time is so that everything doesn't >>> happen all at once.' >>> - B. Banzai - >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.gpii.net/mailman/listinfo/architecture >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.gpii.net/mailman/listinfo/architecture >> >> _______________________________________________ >> Architecture mailing list >> [email protected] <mailto:[email protected]> >> https://lists.gpii.net/mailman/listinfo/architecture >> > > _______________________________________________ > Architecture mailing list > [email protected] <mailto:[email protected]> > https://lists.gpii.net/mailman/listinfo/architecture > > > _______________________________________________ > Architecture mailing list > [email protected] > https://lists.gpii.net/mailman/listinfo/architecture -- ;;;;joseph. 'The only reason for time is so that everything doesn't happen all at once.' - B. Banzai - _______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
