...
Jira No | Summary | Description | Status | Solution | SECCOM requirements for Honolulu | Commitments are expected from the companies to provide resources to support the requirement, otherwise all of the requirements are no go for the moment. Discussion with Andreas and commitment on Michal’s suport for Python upgrades. For CII Badging work with the integration team to have scripts that would validate. | ongoing | Harbor update |
2 ways of Harbor onboarding: run and development. More information about the job and key requirement. In dev phase Nexu-IQ will be kept. Signing of code releases by LFN. Fabian considers Notary for that. | ongoing | Secrets management update | Different types of secrets exist in ONAP:
For every cathegory above different solution should apply: Ad 1: common secrets templates, 3-5 components still needs tobe updated like etcd, Cassandra. Ad 2: Cert initializer for https as a starting point, new backend considered apart from Certman (from AAF) like Certificate Manager from upstream. Fabian manages certificates with reverse proxy, as Bell Canada does. ONAP components are not yet ready for Ingress. Ad 3: service mesh solution with proper access rights or any other security framework. Ad 4: authentication in ingress, passwords externalized to keycloak. Ad 5: for now should be placed in secrets, in long future will needa secret store. Fabian proposed to keep secretes in Vault but outside of Kubernetes but then how to access it? secret zero problem exists. | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Flow matrix | Fabian had a meeting with Sebatien.. | ongoing | Guilin version highlights |
| ongoing | Information was shared with David and Catherine. | CII Badging requirements | Description part was updated by Tony. | done | CII Dashboard | 3 projects that are silver now:, and even one of those projects is 65% of gold (VVP) and 2 other are at 57 % of gold (Policy) and AAF, CLAMP is 96% silver and over 40 % gold. Progress was shared with the next PTLs call. | ongoingRoot pods discussion | Change in Consul recently submitted. There are 2 ways to ensure that process is not running as root in the container:
| ongoing | Preferred option to be vlidated by Krzysztof and confirmed by e-mail. After to be presented to TSC to become a best practice. | |
SECCOM requirements for Honolulu | Looking for junior profile to execute Java upgrades. Orange Labs Poland and LFN contacted. | ongoing | To be further elaborated. | |||||||||||||
Harbor update | Item solved by e-mail exchange. | done | ||||||||||||||
Secrets management update | No feedback yet from Natacha for different types of secrets existing in ONAP discussed on 10th of November. | done | ||||||||||||||
Flow matrix | Fabian had a meeting with Sebatien.. Fabian explores Celium. | ongoing | No feedback from this meeting - waiting for a feedback from Sebasien. | |||||||||||||
Quality of the code | Possibility to refuse the commit. There are quality issues in ONAP but we get a lot of push back. | ongoing | Meeting with Jessica to be planned. for pipeline creation. | |||||||||||||
CII Dashboard | Progress was shared with the last PTLs call. | done | ||||||||||||||
Versions recommended for Honolulu release | Tests checks on run time. Java 11.0.6 version selected as recommended. | ongoing | ||||||||||||||
Protocols and encryption finding sfrom Sonar | 5 types of findings, 2 of them serious: 130+ projects disabled validation of server certificate or validating host name in the certificate- ignoring part of basic TLS protocol. 38 projects have problem with the way how they use encryption algorythms - broken ones used (MD5 or SHA-1). Poor practices in identity management. SSL selected instead of TLS - easy to fix. | Best practice to be formalized - Amy to provide modified wording for Cryptographic Algorithms and Protocols. Krzysztof will have later today a meeting with Chaker and David. | ||||||||||||||
OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 24th OF NOVEMBER'20. |
...