add HL diagram on the ca generation sequence

2021-07-08 16:07:23 -04:00 · 2021-07-08 16:07:23 -04:00 · 50618d95e2
parent e26c9f46ab
commit 50618d95e2
3 changed files with 52 additions and 2 deletions
--- a/docs/service-mesh/ca/README.md
+++ b/docs/service-mesh/ca/README.md
@ -7,8 +7,14 @@ services and client agents (via auto-encrypt and auto-config).
 ### High level overview
- we can start with the mind map
+In Consul the leader is responsible for handling of the CA management. 
- high level explaination of what are the features that are involved in CA (mesh/connect, auto encrypt)
+When a leader election happen, and the elected leader do not have any root CA available it will start a process of creating a set of CA certificate.
 Those certificates will use to authenticate/encrypt communication between services (service mesh) or between `Consul client agent` (auto-encrypt/auto-config). This process is described in the following diagram:
 ![CA creation](./hl-ca-overview.svg)
 <sup>[source](./hl-ca-overview.mmd)</sup>
 - high level explanation of what are the features that are involved in CA (mesh/connect, auto encrypt)
 - add all the func that are involved in the CA operations
 - relationship between the different certs
--- a/docs/service-mesh/ca/hl-ca-overview.mmd
+++ b/docs/service-mesh/ca/hl-ca-overview.mmd
@ -0,0 +1,43 @@
 graph TD
    subgraph "Primary DC"
        leaderP["Leader"]
        rootCAI["Root CA "]
        rootCA["Root CA "]
        Provider["Consul/AWS providers"]
        IntermediateProvider["Vault provider"]
        intermediateCAP["Intermediate CA "]
        leafP["Leaf certificates"]
    end
    subgraph "Secondary DC"
        leaderS["Leader"]
        intermediateCAS["Intermediate CA"]
        leafS["Leaf certificates"]
        ProviderS["Consul/AWS/Vault providers"]
    end
    consulCAS["Consul client Agents"]
    servicesS["Mesh services"]
    consulCAP["Consul client Agents"]
    servicesP["Mesh services"]
    leaderP -->|use|Provider
    leaderP-->|use|IntermediateProvider
    Provider--> |fetch/self sign|rootCA
    IntermediateProvider --> |fetch/self sign|rootCAI 
    rootCAI -->|sign| intermediateCAP
    intermediateCAP -->|sign| leafP
    rootCA -->|sign| leafP
    leaderS -->|use| ProviderS
    ProviderS --> |generate csr| intermediateCAS
    rootCA -->|sign| intermediateCAS
    rootCAI -->|sign| intermediateCAS
    intermediateCAS --> |sign| leafS
    leafS -->|auth/encrypt| servicesS
    leafS -->|auth/encrypt| consulCAS
    leafP -->|auth/encrypt| servicesP
    leafP -->|auth/encrypt| consulCAP
--- a/docs/service-mesh/ca/hl-ca-overview.svg
+++ b/docs/service-mesh/ca/hl-ca-overview.svg