repository for SSO realm registry and helm chart
-
NextJS (ReactJS): a React framework that gives you building blocks to create web applications.
-
Spilo: a Docker image that provides PostgreSQL and Patroni bundled together.
- Postgres 14 and Patroni 2.1.3 are currently installed in OCP namespaces.
- We check PostgreSQL security vulnerabilities in supported versions and release history to mitigate the known issues and potential version deprecation:
- We check spilo release history to upgrade patroni version as needed:
-
We runs daily database backups invoked by WAL-G's PostgreSQL continuous archiving setup, which enables point-in-time recovery.
patroni: walG: enabled: true scheduleCronJob: 00 01 * * * retainBackups: 2 pvc: size: 1Gi
-
We store backups on Openshift PVC (netapp-file-backup), which is one of the supported
WAL-Gstorage types.
-
check if patroni cluster is healthy and running.
$ patronictl list + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+ | Member | Host | Role | State | TL | Lag in MB | +--------------------------+---------------+---------+---------+----+-----------+ | realm-registry-patroni-0 | 10.97.122.229 | Replica | running | 6 | 0 | | realm-registry-patroni-1 | 10.97.121.116 | Leader | running | 6 | | +--------------------------+---------------+---------+---------+----+-----------+
-
set the patroni cluster on maintenance mode.
$ patronictl pause Success: cluster management is paused
-
check if the patroni cluster is on maintenance mode.
$ patronictl list + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+ | Member | Host | Role | State | TL | Lag in MB | +--------------------------+---------------+---------+---------+----+-----------+ | realm-registry-patroni-0 | 10.97.122.229 | Replica | running | 6 | 0 | | realm-registry-patroni-1 | 10.97.121.116 | Leader | running | 6 | | +--------------------------+---------------+---------+---------+----+-----------+ Maintenance mode: on
-
stop the postgres client in the leader pod.
$ pg_ctl stop waiting for server to shut down..... done server stopped
-
remove the current data directory.
$ rm -rf "$PGDATA" -
restore the latest archived data.
$ wal-g backup-fetch "$PGDATA" LATEST INFO: 2022/08/03 18:34:42.443396 Selecting the latest backup... INFO: 2022/08/03 18:34:43.023566 Finished extraction of part_003.tar.lz4 INFO: 2022/08/03 18:34:43.024048 Finished decompression of part_003.tar.lz4 INFO: 2022/08/03 18:34:46.741348 Finished extraction of part_001.tar.lz4 INFO: 2022/08/03 18:34:46.741801 Finished decompression of part_001.tar.lz4 INFO: 2022/08/03 18:34:46.749453 Finished extraction of pg_control.tar.lz4 INFO: 2022/08/03 18:34:46.749835 Finished decompression of pg_control.tar.lz4 INFO: 2022/08/03 18:34:46.749866 Backup extraction complete. -
resume the patroni cluster
$ patronictl resume Success: cluster management is resumed
-
check if the patroni cluster is on active mode.
$ patronictl list + Cluster: realm-registry (7106273589750788182) -----+---------+----+-----------+ | Member | Host | Role | State | TL | Lag in MB | +--------------------------+---------------+---------+---------+----+-----------+ | realm-registry-patroni-0 | 10.97.122.229 | Leader | running | 6 | 0 | | realm-registry-patroni-1 | 10.97.121.116 | Replica | running | 6 | | +--------------------------+---------------+---------+---------+----+-----------+
-
to list the backups and restore the specific one, run:
$ wal-g backup-list name modified wal_segment_backup_start base_00000003000000000000007E 2022-07-31T01:00:10Z 00000003000000000000007E base_000000030000000000000080 2022-08-01T01:00:10Z 000000030000000000000080 base_000000030000000000000082 2022-08-02T01:00:11Z 000000030000000000000082 base_000000030000000000000088 2022-08-03T01:00:10Z 000000030000000000000088 $ wal-g backup-fetch "$PGDATA" base_000000030000000000000088
We make use of most of GitHub's security features that help keep code and secrets secure with dependency vulnerability management in this repository.
Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage community members to upgrade.
View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies.
Use Dependabot to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for Dependabot security updates to successfully raise pull requests to upgrade vulnerable dependencies.
Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch.
The backend API exposes a proxy endpoint that being used by Common Hosted Single Sign-on (CSS) lambda API endpoints to meet the security requirement of IDIM web service and hosted in the same network with it. The IDIM web service backend logic is stored in IDIM Web Service.
-
IDIM web service makes use of two of the environment variables:
BCEID_SERVICE_ID: OSID # to the BCeID Client Web Services.BCEID_SERVICE_BASIC_AUTH:Basic Authauthorization token.
-
To generate the authorization token with IDIR account credentials:
echo -n "<idir_username>:<idir_password>" | base64
This secret will be stored with the other Realm Registry secrets in the Platform Services Vault service.