From 5556eeb727c52c35e13b06483242a6dccbac63fd Mon Sep 17 00:00:00 2001
From: Adam Harwell <flux.adam@gmail.com>
Date: Wed, 17 Dec 2014 12:27:47 -0800
Subject: [PATCH] Update TLS Specification

Change-Id: I30c25dc9ba59f9c8a3f7316e38d84dc8dc576406
---
 specs/version0.5/tls-data-security-2.diag | 37 +++++++++++++----------
 specs/version0.5/tls-data-security.rst    | 23 ++++++--------
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/specs/version0.5/tls-data-security-2.diag b/specs/version0.5/tls-data-security-2.diag
index b98381b4c5..632b5c25e8 100644
--- a/specs/version0.5/tls-data-security-2.diag
+++ b/specs/version0.5/tls-data-security-2.diag
@@ -1,29 +1,34 @@
 seqdiag {
     span_height = 10;
     activation = none;
-    === In Octavia ===
     Barbican;
-    Octavia => Nova [label="Create new Amphora", note="include Octavia Controller certificate and IP as Metadata"];
+    === In Octavia ===
+    Octavia -> Octavia [label="Get a new cert/key from CertGenerator"];
+    Octavia -> "Compute Driver" [label="Create new Amphora"] {
+        "Compute Driver" -> Nova [label="Create instance", note="Ref Impl, ConfigDrive: Octavia Controller certificate and IP, and a generated/signed cert + private key"];
+    }
+    Octavia => "Compute Driver" [label="Wait for Amphora Ready"];
     loop {
-        Octavia => Nova [label="Poll for ACTIVE Amphora", return="Amphora Management IP"];
+        "Compute Driver" => Nova [label="Poll for ACTIVE Amphora", note="Ref Impl", return="Amphora Management IP"];
     }
     Octavia -> Octavia [label="Store Amphora IP"];
-    === Meanwhile, in the Amphora ===
-    Amphora -> Amphora [label="Generate private key and CSR"];
-    Amphora => Octavia [label="Request Certificate Signing", return = "Signed Certificate"] {
-        Octavia -> Octavia [label="Verify Amphora by source IP"];
-        Octavia => Barbican [label="Process CSR using private CA", return="Signed Certificate"];
+    Octavia => "Amp Driver" [label="Run Amphora Self-Test", return="PASS/FAIL"] {
+        "Amp Driver" -> "Amp Driver" [label="Poll DB until first Heartbeat arrives", note="Ref Impl"];
+        "Amp Driver" => "Amphora API" [label="Run Self-Test", note="Ref Impl"] {
+            === If Self-test passes ===
+            Octavia -> Octavia [label="Add Amphora to standby pool"];
+            === If Self-test fails ===
+            Octavia -> Octavia [label="Delete Amphora"];
+        }
     }
+
+    === In the Amphora (Ref Impl) ===
     Amphora -> Amphora [label="Start Services (API, Heartbeat)"];
-    "Amphora Heartbeat" -> Octavia [label="Announce", note="UDP? HTTPS?"] {
-        Octavia -> Octavia [label="Verify Amphora by source IP (UDP) or certificate (HTTPS)"];
+    "Amp Heartbeat" -> "Amp Driver" [label="Announce", note="UDP"] {
+        "Amp Driver" -> "Amp Driver" [label="Verify Amphora by Signed UDP Heartbeat"];
         === If Verification fails ===
-        Octavia -> Octavia [label="Log and Ignore"];
+        "Amp Driver" -> "Amp Driver" [label="Log and Ignore"];
         === If Verification succeeds ===
-        Octavia => "Amphora API" [label="Run Self-test"];
-        === If Self-test fails ===
-        Octavia -> Octavia [label="Delete Amphora, retry process"];
-        === If Self-test succeeds ===
-        Octavia -> Octavia [label="Add Amphora to standby pool"];
+        "Amp Driver" -> "Health Manager" [label="Store Heartbeat"];
     }
 }
diff --git a/specs/version0.5/tls-data-security.rst b/specs/version0.5/tls-data-security.rst
index bc84e097dc..c455ea31c8 100644
--- a/specs/version0.5/tls-data-security.rst
+++ b/specs/version0.5/tls-data-security.rst
@@ -53,16 +53,14 @@ event or during some other non-interactive scenario).
 .. seqdiag:: tls-data-security-2.diag
 
 2. Create a CertificateGenerator interface to generate certificates from CSRs.
-When an Amphora spins up, it will generate its own private key and CSR, then
-contact the controller and request a signed certificate. The controller will
-cause one to be generated [2] and return it to the Amphora (syncronous), which
-will configure the Amphora API to listen using that certificate. All future
-communications with the Amphora will do client certificate validation based on
-our (private) certificate authority.
-
-If we are unable to generate a certificate for the Amphora, we will respond
-with a 503 and the Amphora will be expected to wait some configurable retry
-period before trying again.
+When the controller creates an Amphora, it will generate a private key and a
+CSR, generate a signed certificate from the CSR, and include the private key
+and signed certificate in a ConfigDrive for the new Amphora. It will also
+include a copy of the Controller's certificate on the ConfigDrive. All future
+communications with the Amphora will do certificate validation based on these
+certificates. For the Amphora, this will be based on our (private) certificate
+authority and the CN of the Amphora's cert matching the ID of the Amphora. For
+the Controller, the cert should be a complete match with the version provided.
 
 (The CertificateManager and CertificateGenerator interfaces are separate
 because while Barbican can perform both functions, future implementations
@@ -93,10 +91,7 @@ generic).
 
 REST API impact
 ---------------
-There will need to be an API resource in the controller for the Amphora to
-use when requesting a certificate. All further API based communication with
-the Amphora will take place over HTTPS and validate the certificate of
-both the server and the client.
+None
 
 Security impact
 ---------------