diff --git a/specs/version0.5/tls-data-security-2.diag b/specs/version0.5/tls-data-security-2.diag index b98381b4c5..632b5c25e8 100644 --- a/specs/version0.5/tls-data-security-2.diag +++ b/specs/version0.5/tls-data-security-2.diag @@ -1,29 +1,34 @@ seqdiag { span_height = 10; activation = none; - === In Octavia === Barbican; - Octavia => Nova [label="Create new Amphora", note="include Octavia Controller certificate and IP as Metadata"]; + === In Octavia === + Octavia -> Octavia [label="Get a new cert/key from CertGenerator"]; + Octavia -> "Compute Driver" [label="Create new Amphora"] { + "Compute Driver" -> Nova [label="Create instance", note="Ref Impl, ConfigDrive: Octavia Controller certificate and IP, and a generated/signed cert + private key"]; + } + Octavia => "Compute Driver" [label="Wait for Amphora Ready"]; loop { - Octavia => Nova [label="Poll for ACTIVE Amphora", return="Amphora Management IP"]; + "Compute Driver" => Nova [label="Poll for ACTIVE Amphora", note="Ref Impl", return="Amphora Management IP"]; } Octavia -> Octavia [label="Store Amphora IP"]; - === Meanwhile, in the Amphora === - Amphora -> Amphora [label="Generate private key and CSR"]; - Amphora => Octavia [label="Request Certificate Signing", return = "Signed Certificate"] { - Octavia -> Octavia [label="Verify Amphora by source IP"]; - Octavia => Barbican [label="Process CSR using private CA", return="Signed Certificate"]; + Octavia => "Amp Driver" [label="Run Amphora Self-Test", return="PASS/FAIL"] { + "Amp Driver" -> "Amp Driver" [label="Poll DB until first Heartbeat arrives", note="Ref Impl"]; + "Amp Driver" => "Amphora API" [label="Run Self-Test", note="Ref Impl"] { + === If Self-test passes === + Octavia -> Octavia [label="Add Amphora to standby pool"]; + === If Self-test fails === + Octavia -> Octavia [label="Delete Amphora"]; + } } + + === In the Amphora (Ref Impl) === Amphora -> Amphora [label="Start Services (API, Heartbeat)"]; - "Amphora Heartbeat" -> Octavia [label="Announce", note="UDP? HTTPS?"] { - Octavia -> Octavia [label="Verify Amphora by source IP (UDP) or certificate (HTTPS)"]; + "Amp Heartbeat" -> "Amp Driver" [label="Announce", note="UDP"] { + "Amp Driver" -> "Amp Driver" [label="Verify Amphora by Signed UDP Heartbeat"]; === If Verification fails === - Octavia -> Octavia [label="Log and Ignore"]; + "Amp Driver" -> "Amp Driver" [label="Log and Ignore"]; === If Verification succeeds === - Octavia => "Amphora API" [label="Run Self-test"]; - === If Self-test fails === - Octavia -> Octavia [label="Delete Amphora, retry process"]; - === If Self-test succeeds === - Octavia -> Octavia [label="Add Amphora to standby pool"]; + "Amp Driver" -> "Health Manager" [label="Store Heartbeat"]; } } diff --git a/specs/version0.5/tls-data-security.rst b/specs/version0.5/tls-data-security.rst index bc84e097dc..c455ea31c8 100644 --- a/specs/version0.5/tls-data-security.rst +++ b/specs/version0.5/tls-data-security.rst @@ -53,16 +53,14 @@ event or during some other non-interactive scenario). .. seqdiag:: tls-data-security-2.diag 2. Create a CertificateGenerator interface to generate certificates from CSRs. -When an Amphora spins up, it will generate its own private key and CSR, then -contact the controller and request a signed certificate. The controller will -cause one to be generated [2] and return it to the Amphora (syncronous), which -will configure the Amphora API to listen using that certificate. All future -communications with the Amphora will do client certificate validation based on -our (private) certificate authority. - -If we are unable to generate a certificate for the Amphora, we will respond -with a 503 and the Amphora will be expected to wait some configurable retry -period before trying again. +When the controller creates an Amphora, it will generate a private key and a +CSR, generate a signed certificate from the CSR, and include the private key +and signed certificate in a ConfigDrive for the new Amphora. It will also +include a copy of the Controller's certificate on the ConfigDrive. All future +communications with the Amphora will do certificate validation based on these +certificates. For the Amphora, this will be based on our (private) certificate +authority and the CN of the Amphora's cert matching the ID of the Amphora. For +the Controller, the cert should be a complete match with the version provided. (The CertificateManager and CertificateGenerator interfaces are separate because while Barbican can perform both functions, future implementations @@ -93,10 +91,7 @@ generic). REST API impact --------------- -There will need to be an API resource in the controller for the Amphora to -use when requesting a certificate. All further API based communication with -the Amphora will take place over HTTPS and validate the certificate of -both the server and the client. +None Security impact ---------------