Update TLS Specification
Change-Id: I30c25dc9ba59f9c8a3f7316e38d84dc8dc576406
This commit is contained in:
Adam Harwell
parent
6ab85b6db9
commit
5556eeb727
@ -1,29 +1,34 @@
|
|||||||
seqdiag {
|
seqdiag {
|
||||||
span_height = 10;
|
span_height = 10;
|
||||||
activation = none;
|
activation = none;
|
||||||
=== In Octavia ===
|
|
||||||
Barbican;
|
Barbican;
|
||||||
Octavia => Nova [label="Create new Amphora", note="include Octavia Controller certificate and IP as Metadata"];
|
=== In Octavia ===
|
||||||
|
Octavia -> Octavia [label="Get a new cert/key from CertGenerator"];
|
||||||
|
Octavia -> "Compute Driver" [label="Create new Amphora"] {
|
||||||
|
"Compute Driver" -> Nova [label="Create instance", note="Ref Impl, ConfigDrive: Octavia Controller certificate and IP, and a generated/signed cert + private key"];
|
||||||
|
}
|
||||||
|
Octavia => "Compute Driver" [label="Wait for Amphora Ready"];
|
||||||
loop {
|
loop {
|
||||||
Octavia => Nova [label="Poll for ACTIVE Amphora", return="Amphora Management IP"];
|
"Compute Driver" => Nova [label="Poll for ACTIVE Amphora", note="Ref Impl", return="Amphora Management IP"];
|
||||||
}
|
}
|
||||||
Octavia -> Octavia [label="Store Amphora IP"];
|
Octavia -> Octavia [label="Store Amphora IP"];
|
||||||
=== Meanwhile, in the Amphora ===
|
Octavia => "Amp Driver" [label="Run Amphora Self-Test", return="PASS/FAIL"] {
|
||||||
Amphora -> Amphora [label="Generate private key and CSR"];
|
"Amp Driver" -> "Amp Driver" [label="Poll DB until first Heartbeat arrives", note="Ref Impl"];
|
||||||
Amphora => Octavia [label="Request Certificate Signing", return = "Signed Certificate"] {
|
"Amp Driver" => "Amphora API" [label="Run Self-Test", note="Ref Impl"] {
|
||||||
Octavia -> Octavia [label="Verify Amphora by source IP"];
|
=== If Self-test passes ===
|
||||||
Octavia => Barbican [label="Process CSR using private CA", return="Signed Certificate"];
|
|
||||||
}
|
|
||||||
Amphora -> Amphora [label="Start Services (API, Heartbeat)"];
|
|
||||||
"Amphora Heartbeat" -> Octavia [label="Announce", note="UDP? HTTPS?"] {
|
|
||||||
Octavia -> Octavia [label="Verify Amphora by source IP (UDP) or certificate (HTTPS)"];
|
|
||||||
=== If Verification fails ===
|
|
||||||
Octavia -> Octavia [label="Log and Ignore"];
|
|
||||||
=== If Verification succeeds ===
|
|
||||||
Octavia => "Amphora API" [label="Run Self-test"];
|
|
||||||
=== If Self-test fails ===
|
|
||||||
Octavia -> Octavia [label="Delete Amphora, retry process"];
|
|
||||||
=== If Self-test succeeds ===
|
|
||||||
Octavia -> Octavia [label="Add Amphora to standby pool"];
|
Octavia -> Octavia [label="Add Amphora to standby pool"];
|
||||||
|
=== If Self-test fails ===
|
||||||
|
Octavia -> Octavia [label="Delete Amphora"];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
=== In the Amphora (Ref Impl) ===
|
||||||
|
Amphora -> Amphora [label="Start Services (API, Heartbeat)"];
|
||||||
|
"Amp Heartbeat" -> "Amp Driver" [label="Announce", note="UDP"] {
|
||||||
|
"Amp Driver" -> "Amp Driver" [label="Verify Amphora by Signed UDP Heartbeat"];
|
||||||
|
=== If Verification fails ===
|
||||||
|
"Amp Driver" -> "Amp Driver" [label="Log and Ignore"];
|
||||||
|
=== If Verification succeeds ===
|
||||||
|
"Amp Driver" -> "Health Manager" [label="Store Heartbeat"];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -53,16 +53,14 @@ event or during some other non-interactive scenario).
|
|||||||
.. seqdiag:: tls-data-security-2.diag
|
.. seqdiag:: tls-data-security-2.diag
|
||||||
|
|
||||||
2. Create a CertificateGenerator interface to generate certificates from CSRs.
|
2. Create a CertificateGenerator interface to generate certificates from CSRs.
|
||||||
When an Amphora spins up, it will generate its own private key and CSR, then
|
When the controller creates an Amphora, it will generate a private key and a
|
||||||
contact the controller and request a signed certificate. The controller will
|
CSR, generate a signed certificate from the CSR, and include the private key
|
||||||
cause one to be generated [2] and return it to the Amphora (syncronous), which
|
and signed certificate in a ConfigDrive for the new Amphora. It will also
|
||||||
will configure the Amphora API to listen using that certificate. All future
|
include a copy of the Controller's certificate on the ConfigDrive. All future
|
||||||
communications with the Amphora will do client certificate validation based on
|
communications with the Amphora will do certificate validation based on these
|
||||||
our (private) certificate authority.
|
certificates. For the Amphora, this will be based on our (private) certificate
|
||||||
|
authority and the CN of the Amphora's cert matching the ID of the Amphora. For
|
||||||
If we are unable to generate a certificate for the Amphora, we will respond
|
the Controller, the cert should be a complete match with the version provided.
|
||||||
with a 503 and the Amphora will be expected to wait some configurable retry
|
|
||||||
period before trying again.
|
|
||||||
|
|
||||||
(The CertificateManager and CertificateGenerator interfaces are separate
|
(The CertificateManager and CertificateGenerator interfaces are separate
|
||||||
because while Barbican can perform both functions, future implementations
|
because while Barbican can perform both functions, future implementations
|
||||||
@ -93,10 +91,7 @@ generic).
|
|||||||
|
|
||||||
REST API impact
|
REST API impact
|
||||||
---------------
|
---------------
|
||||||
There will need to be an API resource in the controller for the Amphora to
|
None
|
||||||
use when requesting a certificate. All further API based communication with
|
|
||||||
the Amphora will take place over HTTPS and validate the certificate of
|
|
||||||
both the server and the client.
|
|
||||||
|
|
||||||
Security impact
|
Security impact
|
||||||
---------------
|
---------------
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user