contrib: add first draft of Connect CA developer docs

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
This commit is contained in:
Daniel Nephin 2021-07-08 14:52:22 -04:00
parent 4198c09c47
commit e26c9f46ab
4 changed files with 73 additions and 1 deletions

View File

@ -3,7 +3,7 @@
- call out: envoy/proxy is the data plane, Consul is the control plane
- [xDS Server] - a gRPC service that implements [xDS] and handles requests from an [envoy proxy].
- [agent/proxycfg]
- CA Manager - certificate authority
- [Certificate Authority](./ca) for issuing TLS certs for services and client agents
- command/connect/envoy - bootstrapping and running envoy
- command/connect/proxy - built-in proxy that is dev-only and not supported
for production.

View File

@ -0,0 +1,40 @@
# Certificate Authority (Connect CA)
The Certificate Authority subsystem manages a CA trust chain for issuing certificates to
services and client agents (via auto-encrypt and auto-config).
## Architecture
### High level overview
- we can start with the mind map
- high level explaination of what are the features that are involved in CA (mesh/connect, auto encrypt)
- add all the func that are involved in the CA operations
- relationship between the different certs
### CA and Certificate relationship
This diagram shows the relationship between the CA certificates in Consul primary and
secondary.
![CA relationship](./cert-relationship.svg)
<sup>[source](./cert-relationship.mmd)</sup>
TODO: describe the relationship
* what does it mean for the external root CA to be optional
* it always exists , unless the Consul CA provider is used AND it has generated the CA
root.
* relationship between Primary Root CA and Signing CA in the primary
* sometimes its the same thing (Consul, and AWS providers)
* sometimes it is different (Vault provider)
* client agent cert is used by auto-encrypt for Agent HTTP TLS (and client side of RPC
TLS)
* leaf cert service is the cert used by a service in the mesh
### detailed call flow
- sequence diagram for leader election
- sequence diagram for leaf signing
- sequence diagram for CA cert rotation

View File

@ -0,0 +1,31 @@
graph TD
ExternalRootCA["External RootCA (optional)"]
subgraph "Consul Primary"
PrimaryRootCA["Primary Root CA"]
PrimarySigningCA["Primary Signing CA (conditional)"]
end
subgraph "Consul Secondary"
SeconarySigningCA["Seconary Signing CA"]
end
LeafCertAgentPrimary[Leaf Cert Client Agent]
LeafCertServicePrimary[Leaf Cert Service]
LeafCertAgentSecondary[Leaf Cert Client Agent]
LeafCertServiceSecondary[Leaf Cert Service]
ExternalRootCA -.-> PrimaryRootCA
PrimaryRootCA -.-> PrimarySigningCA
PrimaryRootCA --> SeconarySigningCA
PrimarySigningCA --> LeafCertAgentPrimary
PrimarySigningCA --> LeafCertServicePrimary
SeconarySigningCA --> LeafCertAgentSecondary
SeconarySigningCA --> LeafCertServiceSecondary

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 16 KiB