From c0912ad3031d0939015f34e3f583b09f04029d9c Mon Sep 17 00:00:00 2001
From: Daniel Hiltgen <daniel.hiltgen@docker.com>
Date: Tue, 27 Oct 2015 16:00:12 -0700
Subject: [PATCH] Lockdown CA (CFSSL) with mutual TLS

This change re-wires the way we have CFSSL hooked up so
that it requires mutual TLS to access the service.

Instead of using command line arguments, and thus relying on environment
variables from linking, this change also switches to registering the
CAs via KV store entries.

The current CFSSL implementation does not support mutual TLS natively,
so I've leveraged socat and a proxy container (much like we do for
docker) in the interest of expediency.  (so under the covers it's still
a link between cfss and the proxy.) Once upstream supports mutual TLS
(or if we decide to fork/patch it) we can drop the proxy and eliminate
all the links.
---
 install-beta.md | 4 ++++
 quickstart.md   | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/install-beta.md b/install-beta.md
index c55ebef3c6..790b67ebe5 100644
--- a/install-beta.md
+++ b/install-beta.md
@@ -61,6 +61,8 @@ Orca includes Docker Swarm as part of its installation. So, you don't need to in
 | `2376`           | Swarm manager   |
 | `12376`          | Engine proxy    |
 | `12379`, `12380` | Key Value store |
+| `12381`          | Swarm CA service|
+| `12382`          | Orca CA service |
 
 The communication between the server, nodes, and key value store is all protected by mutual TLS. The Orca installation of Swarm provides TLS for you automatically.
 
@@ -129,6 +131,8 @@ If you choose this option, create your volumes prior to installing Orca. The vol
 | `orca-swarm-root-ca`    | The certificate and key for the Swarm root CA.                                       |
 | `orca-server-certs`     | The server certificates for the Orca web server.                                     |
 | `orca-swarm-node-certs` | The Swarm certificates for the current node (repeated on every node in the cluster). |
+| `orca-swarm-kv-certs`   | The Swarm KV client certificates for the current node (repeated on every node in the cluster). |
+| `orca-swarm-controller-certs` | The Orca Controller Swarm client certificates for the current node. |
 | `orca-config`           | Orca server configuration settings (ID, locations of key services).                  |
 | `orca-kv`               | Key value store persistence.                                                         |
 
diff --git a/quickstart.md b/quickstart.md
index fd462aaee5..d1ce516459 100644
--- a/quickstart.md
+++ b/quickstart.md
@@ -15,7 +15,8 @@ running quickly, so lets dive right in!
     * Orca Server: 443
     * Swarm Manager: 2376 (user configurable) - Protected via mutual TLS
     * Engine Proxy: 12376 - Protected via mutual TLS
-    * KV Store: 12379, 12380 - Will be protected by mutual TLS soon
+    * KV Store: 12379, 12380 - Protected by mutual TLS
+    * CAs: 12381, 12382 - Protected by mutual TLS
 
 
 # Initial Installation
@@ -52,6 +53,8 @@ can pre-create volumes prior to installing Orca.
 * **orca-swarm-root-ca** - The certificate and key for the Swarm Root CA
 * **orca-server-certs** - The server certificates for the Orca web server
 * **orca-swarm-node-certs** - The swarm certificates for the current node (repeated on every node in the cluster)
+* **orca-swarm-kv-certs**   The Swarm KV client certificates for the current node (repeated on every node in the cluster)
+* **orca-swarm-controller-certs**  The Orca Controller Swarm client certificates for the current node
 * **orca-config** - Orca server configuration settings (ID, locations of key services)
 * **orca-kv** - KV store persistence