2020-02-18 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of February 2020.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| SECCOM chair and vice chair elections | Confirm that the correct voting member for your company is on the Security Sub-committee Members list | List of participants was updated | Amy will contact Kenny to get information about process scheduling - February time frame?. |
| Secrets encryption | Krzysztof has a draft wiki page documenting the approach for ONAP secrets management and would like feedback. In general ONAP should not hardcode any secrets inside the HELM charts. For the solution first of all we should remove all default values for HELM chart external secrets. For example OpenStack password should be provided by user at the deployment time. We do not want to generate random values because this creates some issues during the upgrades. We would like to utilize well known master password algorythm (supported by spring library which is part of HELM). We also expect that the underlying Kubernetes cluster is configured properly which means taht it uses encryption and REST plugin - secrets are never written in plein text into etcd. It could be good if details (namespace, secret and key) would documented. Documentation is available here: | In Progress | |
| AAF client certificate | Feedback that Ramesh has putted few certificates to OOM repo resources. why not used aitomated certificates generation by AAF - feedback that those are not SSL certificates and automated certificates generation is only on server side and client side certificates have to be hardcoded in the repo!. We should not have any single certificate within OOM repo or any container image | Jonathan to be addressed and John Freney - new AAF PTL with Amy's support to clarify - to be followed-up offline.. | It looks veru weird - to be further investigated with AAF team. Mutual TLS = both sides can use the same certificate. |
| OOM password removal - MariaDB-Galera | Whole encryption is blocking and compromised in SO. |
| |
| Scripts for automatic Jira tickets creation for direct dependency components upgrades | PTL presentation on 10th of February. PTLs are concerned with many Jira tickets generated. | Meeting with Ittay, Pierre and Pam to be organized. by Amy. |
|
| Automated K8S tests enabled for Frankfurt | Feedback from PTLs - no specific feedback. Propose enabling | Present to TSC | |
| Bi-weekly meetings for security guidelines | Thursday's meeting slot is not valid for Harald anymore. | Data proposal to be sent by Harald to seccom distribution list. |
|
| M2/M3 SECCOM requirements update | -SECCOM Coverity integration by end of Frankfurt (REQ-247)– moved to Guilin release -SECCOM Perform Software Composition Analysis - Vulnerability tables (REQ-263) – descoped -SECCOM Java 11 migration from v8 (REQ-219) - feedback from PTLs call? -SECCOM CII badging – meet targeted Silver and Gold requirements (REQ-223) - feedback from PTLs call? | Guilin release requirements to be prepared for the next SECCOM meeting. |
|
| Upcoming F2F meetings | Decide which meeting(s) SECCOM wants to focus on Start collecting topics for the meeting(s) | In Progress |
|
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 25TH OF FEBRUARY'20 |
|
|
|
