Update TLS Specification
Change-Id: I30c25dc9ba59f9c8a3f7316e38d84dc8dc576406
This commit is contained in:
Adam Harwell
parent
6ab85b6db9
commit
5556eeb727
@ -1,29 +1,34 @@
|
||||
seqdiag {
|
||||
span_height = 10;
|
||||
activation = none;
|
||||
=== In Octavia ===
|
||||
Barbican;
|
||||
Octavia => Nova [label="Create new Amphora", note="include Octavia Controller certificate and IP as Metadata"];
|
||||
=== In Octavia ===
|
||||
Octavia -> Octavia [label="Get a new cert/key from CertGenerator"];
|
||||
Octavia -> "Compute Driver" [label="Create new Amphora"] {
|
||||
"Compute Driver" -> Nova [label="Create instance", note="Ref Impl, ConfigDrive: Octavia Controller certificate and IP, and a generated/signed cert + private key"];
|
||||
}
|
||||
Octavia => "Compute Driver" [label="Wait for Amphora Ready"];
|
||||
loop {
|
||||
Octavia => Nova [label="Poll for ACTIVE Amphora", return="Amphora Management IP"];
|
||||
"Compute Driver" => Nova [label="Poll for ACTIVE Amphora", note="Ref Impl", return="Amphora Management IP"];
|
||||
}
|
||||
Octavia -> Octavia [label="Store Amphora IP"];
|
||||
=== Meanwhile, in the Amphora ===
|
||||
Amphora -> Amphora [label="Generate private key and CSR"];
|
||||
Amphora => Octavia [label="Request Certificate Signing", return = "Signed Certificate"] {
|
||||
Octavia -> Octavia [label="Verify Amphora by source IP"];
|
||||
Octavia => Barbican [label="Process CSR using private CA", return="Signed Certificate"];
|
||||
Octavia => "Amp Driver" [label="Run Amphora Self-Test", return="PASS/FAIL"] {
|
||||
"Amp Driver" -> "Amp Driver" [label="Poll DB until first Heartbeat arrives", note="Ref Impl"];
|
||||
"Amp Driver" => "Amphora API" [label="Run Self-Test", note="Ref Impl"] {
|
||||
=== If Self-test passes ===
|
||||
Octavia -> Octavia [label="Add Amphora to standby pool"];
|
||||
=== If Self-test fails ===
|
||||
Octavia -> Octavia [label="Delete Amphora"];
|
||||
}
|
||||
}
|
||||
|
||||
=== In the Amphora (Ref Impl) ===
|
||||
Amphora -> Amphora [label="Start Services (API, Heartbeat)"];
|
||||
"Amphora Heartbeat" -> Octavia [label="Announce", note="UDP? HTTPS?"] {
|
||||
Octavia -> Octavia [label="Verify Amphora by source IP (UDP) or certificate (HTTPS)"];
|
||||
"Amp Heartbeat" -> "Amp Driver" [label="Announce", note="UDP"] {
|
||||
"Amp Driver" -> "Amp Driver" [label="Verify Amphora by Signed UDP Heartbeat"];
|
||||
=== If Verification fails ===
|
||||
Octavia -> Octavia [label="Log and Ignore"];
|
||||
"Amp Driver" -> "Amp Driver" [label="Log and Ignore"];
|
||||
=== If Verification succeeds ===
|
||||
Octavia => "Amphora API" [label="Run Self-test"];
|
||||
=== If Self-test fails ===
|
||||
Octavia -> Octavia [label="Delete Amphora, retry process"];
|
||||
=== If Self-test succeeds ===
|
||||
Octavia -> Octavia [label="Add Amphora to standby pool"];
|
||||
"Amp Driver" -> "Health Manager" [label="Store Heartbeat"];
|
||||
}
|
||||
}
|
||||
|
||||
@ -53,16 +53,14 @@ event or during some other non-interactive scenario).
|
||||
.. seqdiag:: tls-data-security-2.diag
|
||||
|
||||
2. Create a CertificateGenerator interface to generate certificates from CSRs.
|
||||
When an Amphora spins up, it will generate its own private key and CSR, then
|
||||
contact the controller and request a signed certificate. The controller will
|
||||
cause one to be generated [2] and return it to the Amphora (syncronous), which
|
||||
will configure the Amphora API to listen using that certificate. All future
|
||||
communications with the Amphora will do client certificate validation based on
|
||||
our (private) certificate authority.
|
||||
|
||||
If we are unable to generate a certificate for the Amphora, we will respond
|
||||
with a 503 and the Amphora will be expected to wait some configurable retry
|
||||
period before trying again.
|
||||
When the controller creates an Amphora, it will generate a private key and a
|
||||
CSR, generate a signed certificate from the CSR, and include the private key
|
||||
and signed certificate in a ConfigDrive for the new Amphora. It will also
|
||||
include a copy of the Controller's certificate on the ConfigDrive. All future
|
||||
communications with the Amphora will do certificate validation based on these
|
||||
certificates. For the Amphora, this will be based on our (private) certificate
|
||||
authority and the CN of the Amphora's cert matching the ID of the Amphora. For
|
||||
the Controller, the cert should be a complete match with the version provided.
|
||||
|
||||
(The CertificateManager and CertificateGenerator interfaces are separate
|
||||
because while Barbican can perform both functions, future implementations
|
||||
@ -93,10 +91,7 @@ generic).
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
There will need to be an API resource in the controller for the Amphora to
|
||||
use when requesting a certificate. All further API based communication with
|
||||
the Amphora will take place over HTTPS and validate the certificate of
|
||||
both the server and the client.
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Loading…
Reference in New Issue
Block a user