sstent/LogSeq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ddddd302ddce251fd28d6001fc4b239db556bbf
LogSeq/journals/2025_05_02.md
sstent 4662fe2d3b first commit
2025-12-11 06:26:12 -08:00

5.3 KiB
Raw Blame History

  • DONE Plug-in framework vision and strategy completed:: 06-05-2025 collapsed:: true
    • can we target a date for this.
    • This is gaining more priority everyday. It will be great to target the first version for review amongst the three of us next week.
  • DONE Morpheus Road Map Review with Cheri on 05-20-2025 and 05-21-2025 . completed:: 06-05-2025
    • More context on this - Essentially, we need to provide a Morpheus roadmap, high confidence roadmap for the next two quarters, and a medium confidence roadmap for the 12 months after that. Again, the priority here is to have a very high confidence clear roadmap for the next two quarters To an extent that it can be communicated with dates to external customers.
      • DONE review current roadmap in AHA (any big groups?) completed:: 06-05-2025
      • DONE review items in "FW: PCFS 1st monthly backlog, release and roadmap planning - May 21 & 22" email completed:: 06-05-2025
  • Neil van Ransburg 1:1 #call #plugins and integrations #morpheus collapsed:: true
    • ISV plugins
      • morpheus supported
      • partners upported
        • get NDA in place + alliance docs in place
        • low bar to entry at the moment
        • terms of use (EULA) + plugin source license (based on terraform BSL)
        • no certification or SLA in place today
          • informal QA testing from our engineering team
            • no strict process in place
            • overhead was key blocker
          • based on the terraform module processes
      • community
    • spend largest amount of time doing enablement
    • certifiation of external plugins?
    • list of isvs who are creating plugins
    • Maven central (plugin core) = interace to mopheus
    • Captures
      • image.png
      • plugins are classes are exposed via grooxy classes
      • image.png
      • High interest tight now
        • openshift virtualization is high priority
          • SSE tam under divaker want to do this
        • USU -
          • tryting to target asia tech jam
        • Exavity
        • stackit
          • german service provider
          • helped build this plugin, then got stuck on floating IPS
      • image.png
  • Eric Forgette 1:1 #call #morpheus #security #architecture
    • Security processes/standrds for developmet
      • Architectural Threat Analysis?
    • architecture overview and current thinking on future
      • as we are designing new features in HPE (not yet the process for the core eng. team)
        • design doc
        • security design doc
      • one observation
        • implemetation of MKS takes a very simlar approach to k8s as it does vmware
          • leverage RBAC in morpheus, then if allowed AuthZ, then elevated to run the command
      • Central Service
        • cloud based mgmt of multiple morpheus installs
      • PCCP = just morpheus
        • big changes in PCE - getting more features
        • PCBE -
      • SilverCreek == GLP on prem?
      • disconnnected PCAI - control plane is huge, expensive on prem
  • Adam Lipscombe 1:1 #call #morpheus #security
      • Greg Willis
    • Security processes/standards for development
      • SDLC and guidelines
        • OWASP top 10
      • SLA based on CSSV scroring
        • internal engineering process, doesn't hit AHA!
        • VTN is notification mechanism
          • noticed as sent to security
            • Adam/Gram
          • the review notifications
          • if needs rememdiation
          • then goes it 'shortcut' (old Jira alternative)
        • also triggered via support tickets to Adam
      • process today
        • featues goes to backlog
          • this means approved by committe
        • development happens
          • in branch
        • summited for PR
          • non-trusted have PR
          • trusted developers peer-review on submisison to dev branch
        • Dev goes through QA cycle
          • functional testing
        • at code freeze promoted to staging
          • regression testing
        • release tag on pass etc
      • Morpheus
        • Architectural Threat Analysis? (see Estes)
      • Current State
        • HVM not tracked in same process
        • multi-tenant arch
          • seperation via rbac and encrytion
          • config code is encrypted on upload by customer
          • agent methodology
            • subscribes to queue
          • comms channels and authz
            • only way to get inside the system would be via the applicaiton code
            • VTN instead of Git dependabot
            • app pentesting - was used in the past
              • but no longer used
              • moving to HPE armor
            • 3rd party pen testing every year
              • nothing found in last 4 years
            • some rapid7 testing happening now
          • morpheus tested on the PCE end of things
          • arch diagrams
            • ref arch diagrams
            • Tiered model
              • SQL database
              • elastic
              • rabbitmq messaging
              • app tier
                • 2 parts
                  • nginx web proxy
                  • tomcat container for ui/app
                    • bouncycastle generates keys etc
                • Cypher used for key store
        • Lots of requests from customers re more security features
          • e.g. create users in external IAM
          • sec config testing
        • Certificaitons/regualtions
          • before HPE - only a shippable software
            • not a saas etc
          • hardening guides
            • disa
            • tested up to CIS level 1 and 2
          • post HPE
            • having to shift into a sevice offering
              • no one has connected the dots here yet on compliance
  • ((6814dcc7-6319-4582-8c00-642a273286ab))
Reference in New Issue View Git Blame Copy Permalink