emetsger
commented
3 years ago The working theory is that when the default certs are used (the trusted ones from Let's Encrypt), the requests issued by Go to the JSONAPI go directly to the drupal container.
When the self-signed certs are used, the requests issued by Go are issued first to traefik, which then proxies them to the drupal container.
The requests issued by Go do not have their URL query parameters encoded (this is an oversight), however, drupal happily accepts those requests. When the same requests are issued through traefik, they are spiked with a 400 error (but this error is not logged at all by traefik because the magic incantation for logging them is unknown).
traefikwill log404s, for example, but not400s that result from an unencoded url query parameter.
When the certificates used by the IDC stack are replaced with self-signed certificates, migration tests inexplicably fail. Migration tests have two components, the testcafe portion which actually performs the migration using the Migrate Source UI module, and the Go portion which verifies the expected results. The testcafe portion succeeds, but the Go portion fails. The Go portion uses the JSONAPI to retrieve the actual results, and compares them to expected results provided by the test. The failures occur when the JSONAPI representation of a resource is retrieved (a
400is returned instead of a200).The certs used by the stack are not under version control (.gitignored), and reside under the
certs/directory, populated by thedownload-default-certsmake target.The certs used by IDC are signed by a trusted CA. When the certs are replaced with a self-signed certificate, migration tests fail.
To see this in action, checkout
developmente75e8ff and runmake reset && make test. All tests should pass.Next, checkout the
self-signed-certsbranch and runmake reset && make test, and you'll see that migration tests fail.