open-consul/docs/service-mesh/ca/hl-ca-overview.mmd

graph TD
    subgraph "Primary DC"
        leaderP["Leader"]
        rootCAI["Root CA "]
        rootCA["Root CA "]
        Provider["Consul/AWS providers"]
        IntermediateProvider["Vault provider"]
        intermediateCAP["Intermediate CA "]
        leafP["Leaf certificates"]
    end

    subgraph "Secondary DC"
        leaderS["Leader"]
        intermediateCAS["Intermediate CA"]
        leafS["Leaf certificates"]
        ProviderS["Consul/AWS/Vault providers"]
    end

    consulCAS["Consul client Agents"]
    servicesS["Mesh services"]

    consulCAP["Consul client Agents"]
    servicesP["Mesh services"]
    
    leaderP -->|use|Provider
    leaderP-->|use|IntermediateProvider
    Provider--> |fetch/self sign|rootCA
    IntermediateProvider --> |fetch/self sign|rootCAI 
    rootCAI -->|sign| intermediateCAP
    intermediateCAP -->|sign| leafP
    rootCA -->|sign| leafP

    leaderS -->|use| ProviderS
    ProviderS --> |generate csr| intermediateCAS
    rootCA -->|sign| intermediateCAS
    rootCAI -->|sign| intermediateCAS
    intermediateCAS --> |sign| leafS

    leafS -->|auth/encrypt| servicesS
    leafS -->|auth/encrypt| consulCAS
    leafP -->|auth/encrypt| servicesP
    leafP -->|auth/encrypt| consulCAP
add HL diagram on the ca generation sequence 2021-07-08 20:07:23 +00:00			`graph TD`
			`subgraph "Primary DC"`
			`leaderP["Leader"]`
			`rootCAI["Root CA "]`
			`rootCA["Root CA "]`
			`Provider["Consul/AWS providers"]`
			`IntermediateProvider["Vault provider"]`
			`intermediateCAP["Intermediate CA "]`
			`leafP["Leaf certificates"]`
			`end`

			`subgraph "Secondary DC"`
			`leaderS["Leader"]`
			`intermediateCAS["Intermediate CA"]`
			`leafS["Leaf certificates"]`
			`ProviderS["Consul/AWS/Vault providers"]`
			`end`

			`consulCAS["Consul client Agents"]`
			`servicesS["Mesh services"]`

			`consulCAP["Consul client Agents"]`
			`servicesP["Mesh services"]`

			`leaderP -->\|use\|Provider`
			`leaderP-->\|use\|IntermediateProvider`
			`Provider--> \|fetch/self sign\|rootCA`
			`IntermediateProvider --> \|fetch/self sign\|rootCAI`
			`rootCAI -->\|sign\| intermediateCAP`
			`intermediateCAP -->\|sign\| leafP`
			`rootCA -->\|sign\| leafP`

			`leaderS -->\|use\| ProviderS`
			`ProviderS --> \|generate csr\| intermediateCAS`
			`rootCA -->\|sign\| intermediateCAS`
			`rootCAI -->\|sign\| intermediateCAS`
			`intermediateCAS --> \|sign\| leafS`

			`leafS -->\|auth/encrypt\| servicesS`
			`leafS -->\|auth/encrypt\| consulCAS`
			`leafP -->\|auth/encrypt\| servicesP`
			`leafP -->\|auth/encrypt\| consulCAP`