refresh
This commit is contained in:
@@ -91,9 +91,10 @@ credentials.
|
||||
| customer ↔ controller UI | management UI | Cloudflare Tunnel; UI auth (bcrypt) | the customer's own box |
|
||||
| controller ↔ agent | snapshot/resize/backup requests | local constrained RPC; agent authorizes per-guest | the controller's own guest only |
|
||||
| agent ↔ hub | reports + signed jobs | outbound poll; signed jobs | one box; signed jobs limit forgery |
|
||||
| controller ↔ hub | app-domain reports/jobs | outbound, own API key | app-domain of one customer |
|
||||
| controller ↔ hub | app-domain reports/jobs (incl. geo desired-state) | outbound, own API key | app-domain of one customer |
|
||||
| box ↔ PBS | encrypted backups | outbound; per-customer namespace; client-side encryption | ciphertext only (operator can't read) |
|
||||
| guest ↔ Proxmox host | **(none direct)** | the guest holds no Proxmox creds; all via the agent | — |
|
||||
| hub ↔ Cloudflare API | geo-restriction WAF (enforcement) | the **hub** holds the CF API token; reconciles geo desired-state → WAF | the customer's zone/WAF |
|
||||
|
||||
---
|
||||
|
||||
@@ -123,8 +124,10 @@ credentials.
|
||||
DNS/routing stay intact through an outage.
|
||||
- **Outbound only** for control/report/backup (poll to hub, push to PBS). No inbound control
|
||||
endpoint exists in the chosen model.
|
||||
- **OPEN:** Cloudflare Tunnel placement — host vs guest (`cloudflared` on the Proxmox host
|
||||
routing to guest services, or inside the customer LXC). To resolve in a later part.
|
||||
- **Tunnel placement: host** (resolved, Part 3 §3/§5). `cloudflared` runs on the Proxmox host
|
||||
as its own **agent-managed systemd service** — not inside the guest — so the data path
|
||||
survives control-plane death by construction. Geo-restriction WAF is **hub-enforced** (the
|
||||
hub holds the CF API token; the controller only reports geo desired-state).
|
||||
|
||||
---
|
||||
|
||||
@@ -190,9 +193,7 @@ credentials.
|
||||
|
||||
## 11. Open sub-decisions (carried into later parts)
|
||||
|
||||
- Cloudflare Tunnel placement: host vs guest (§7).
|
||||
- **RTO/RPO targets** → drive the backup + offsite-replication schedule (§8).
|
||||
- Self-update flow (scenario 5) — not yet designed.
|
||||
- Offboarding / decommission (scenario 6) — not yet designed; must honour "never hold data
|
||||
hostage" in credential revocation + data hand-off.
|
||||
- Multi-tenant resource fairness — deferred until multi-tenant is real (§2).
|
||||
@@ -205,4 +206,15 @@ credentials.
|
||||
- **Phase 1** → §3/§5: validated the privilege boundary (create/allocate is operator-tier).
|
||||
The guest-side scoped-backup-token it proved possible is **not** used — we chose the
|
||||
agent-mediated path — but it confirmed restore = operator-tier, which shapes the agent.
|
||||
- **Phase 2** → §8/§9: backup→restore round-trip; identity reset on restore.
|
||||
- **Phase 2** → §8/§9: backup→restore round-trip; identity reset on restore.
|
||||
|
||||
---
|
||||
|
||||
## Changelog — design-review + Phase-3 fold-in (2026-06-08)
|
||||
|
||||
- §5 trust boundaries: **added `hub ↔ Cloudflare API`** row (hub holds the CF token, enforces
|
||||
geo→WAF); controller↔hub row notes it carries geo desired-state (S4).
|
||||
- §7 networking: **tunnel placement resolved → host** (agent-managed systemd service); geo is
|
||||
hub-enforced (S4/S5).
|
||||
- §11 open items: removed the now-resolved **tunnel placement** and **self-update flow** entries
|
||||
(S5; self-update designed in 03 §11).
|
||||
Reference in New Issue
Block a user