Skip to content

Latest commit

 

History

History
178 lines (128 loc) · 7.5 KB

README.md

File metadata and controls

178 lines (128 loc) · 7.5 KB

SSO Realm Registry

Lifecycle:Stable

repository for SSO realm registry and helm chart

Tech Stack

  • NextJS (ReactJS): a React framework that gives you building blocks to create web applications.

  • Spilo: a Docker image that provides PostgreSQL and Patroni bundled together.

    • Postgres 14 and Patroni 2.1.3 are currently installed in OCP namespaces.

Database Security

Database Backup & Recovery

Recovery Process

  • check if patroni cluster is healthy and running.

    $ patronictl list
    + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+
    | Member                   | Host          | Role    | State   | TL | Lag in MB |
    +--------------------------+---------------+---------+---------+----+-----------+
    | realm-registry-patroni-0 | 10.97.122.229 | Replica | running |  6 |         0 |
    | realm-registry-patroni-1 | 10.97.121.116 | Leader  | running |  6 |           |
    +--------------------------+---------------+---------+---------+----+-----------+
  • set the patroni cluster on maintenance mode.

    $ patronictl pause
    Success: cluster management is paused
  • check if the patroni cluster is on maintenance mode.

    $ patronictl list
    + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+
    | Member                   | Host          | Role    | State   | TL | Lag in MB |
    +--------------------------+---------------+---------+---------+----+-----------+
    | realm-registry-patroni-0 | 10.97.122.229 | Replica | running |  6 |         0 |
    | realm-registry-patroni-1 | 10.97.121.116 | Leader  | running |  6 |           |
    +--------------------------+---------------+---------+---------+----+-----------+
     Maintenance mode: on
  • stop the postgres client in the leader pod.

    $ pg_ctl stop
    waiting for server to shut down..... done
    server stopped
  • remove the current data directory.

    $ rm -rf "$PGDATA"
  • restore the latest archived data.

    $ wal-g backup-fetch "$PGDATA" LATEST
    INFO: 2022/08/03 18:34:42.443396 Selecting the latest backup...
    INFO: 2022/08/03 18:34:43.023566 Finished extraction of part_003.tar.lz4
    INFO: 2022/08/03 18:34:43.024048 Finished decompression of part_003.tar.lz4
    INFO: 2022/08/03 18:34:46.741348 Finished extraction of part_001.tar.lz4
    INFO: 2022/08/03 18:34:46.741801 Finished decompression of part_001.tar.lz4
    INFO: 2022/08/03 18:34:46.749453 Finished extraction of pg_control.tar.lz4
    INFO: 2022/08/03 18:34:46.749835 Finished decompression of pg_control.tar.lz4
    INFO: 2022/08/03 18:34:46.749866
    Backup extraction complete.
  • resume the patroni cluster

    $ patronictl resume
    Success: cluster management is resumed
  • check if the patroni cluster is on active mode.

    $ patronictl list
    + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+
    | Member                   | Host          | Role    | State   | TL | Lag in MB |
    +--------------------------+---------------+---------+---------+----+-----------+
    | realm-registry-patroni-0 | 10.97.122.229 | Leader  | running |  6 |         0 |
    | realm-registry-patroni-1 | 10.97.121.116 | Replica | running |  6 |           |
    +--------------------------+---------------+---------+---------+----+-----------+
  • to list the backups and restore the specific one, run:

    $ wal-g backup-list
    name modified wal_segment_backup_start
    base_00000003000000000000007E 2022-07-31T01:00:10Z 00000003000000000000007E
    base_000000030000000000000080 2022-08-01T01:00:10Z 000000030000000000000080
    base_000000030000000000000082 2022-08-02T01:00:11Z 000000030000000000000082
    base_000000030000000000000088 2022-08-03T01:00:10Z 000000030000000000000088
    $ wal-g backup-fetch "$PGDATA" base_000000030000000000000088
  • see https://github.com/wal-e/wal-e#backup-list

  • see https://github.com/wal-e/wal-e#backup-fetch

Code security & Vulnerability Disclosure

We make use of most of GitHub's security features that help keep code and secrets secure with dependency vulnerability management in this repository.

Security advisories

Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade.

Dependabot alerts and security updates

View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies.

Dependabot version updates

Use Dependabot to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for Dependabot security updates to successfully raise pull requests to upgrade vulnerable dependencies.

Code scanning

Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch.

IDIM Web Service proxy API endpoint

The backend API exposes a proxy endpoint that being used by Common Hosted Single Sign-on (CSS) lambda API endpoints to meet the security requirement of IDIM web service and hosted in the same network with it. The IDIM web service backend logic is stored in IDIM Web Service.

  • IDIM web service makes use of two of the environment variables:

    1. BCEID_SERVICE_ID: OSID # to the BCeID Client Web Services.
    2. BCEID_SERVICE_BASIC_AUTH: Basic Auth authorization token.
  • To generate the authorization token with IDIR account credentials:

    echo -n "<idir_username>:<idir_password>" | base64

This secret will be stored with the other Realm Registry secrets in the Platform Services Vault service.