contrib: add first draft of Connect CA developer docs
Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
This commit is contained in:
parent
4198c09c47
commit
e26c9f46ab
|
@ -3,7 +3,7 @@
|
|||
- call out: envoy/proxy is the data plane, Consul is the control plane
|
||||
- [xDS Server] - a gRPC service that implements [xDS] and handles requests from an [envoy proxy].
|
||||
- [agent/proxycfg]
|
||||
- CA Manager - certificate authority
|
||||
- [Certificate Authority](./ca) for issuing TLS certs for services and client agents
|
||||
- command/connect/envoy - bootstrapping and running envoy
|
||||
- command/connect/proxy - built-in proxy that is dev-only and not supported
|
||||
for production.
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
# Certificate Authority (Connect CA)
|
||||
|
||||
The Certificate Authority subsystem manages a CA trust chain for issuing certificates to
|
||||
services and client agents (via auto-encrypt and auto-config).
|
||||
|
||||
## Architecture
|
||||
|
||||
### High level overview
|
||||
|
||||
- we can start with the mind map
|
||||
- high level explaination of what are the features that are involved in CA (mesh/connect, auto encrypt)
|
||||
- add all the func that are involved in the CA operations
|
||||
- relationship between the different certs
|
||||
|
||||
|
||||
### CA and Certificate relationship
|
||||
|
||||
This diagram shows the relationship between the CA certificates in Consul primary and
|
||||
secondary.
|
||||
|
||||
![CA relationship](./cert-relationship.svg)
|
||||
|
||||
<sup>[source](./cert-relationship.mmd)</sup>
|
||||
|
||||
TODO: describe the relationship
|
||||
|
||||
* what does it mean for the external root CA to be optional
|
||||
* it always exists , unless the Consul CA provider is used AND it has generated the CA
|
||||
root.
|
||||
* relationship between Primary Root CA and Signing CA in the primary
|
||||
* sometimes its the same thing (Consul, and AWS providers)
|
||||
* sometimes it is different (Vault provider)
|
||||
* client agent cert is used by auto-encrypt for Agent HTTP TLS (and client side of RPC
|
||||
TLS)
|
||||
* leaf cert service is the cert used by a service in the mesh
|
||||
|
||||
### detailed call flow
|
||||
- sequence diagram for leader election
|
||||
- sequence diagram for leaf signing
|
||||
- sequence diagram for CA cert rotation
|
|
@ -0,0 +1,31 @@
|
|||
graph TD
|
||||
|
||||
ExternalRootCA["External RootCA (optional)"]
|
||||
|
||||
subgraph "Consul Primary"
|
||||
PrimaryRootCA["Primary Root CA"]
|
||||
PrimarySigningCA["Primary Signing CA (conditional)"]
|
||||
end
|
||||
|
||||
subgraph "Consul Secondary"
|
||||
SeconarySigningCA["Seconary Signing CA"]
|
||||
end
|
||||
|
||||
LeafCertAgentPrimary[Leaf Cert Client Agent]
|
||||
LeafCertServicePrimary[Leaf Cert Service]
|
||||
|
||||
LeafCertAgentSecondary[Leaf Cert Client Agent]
|
||||
LeafCertServiceSecondary[Leaf Cert Service]
|
||||
|
||||
|
||||
ExternalRootCA -.-> PrimaryRootCA
|
||||
PrimaryRootCA -.-> PrimarySigningCA
|
||||
|
||||
PrimaryRootCA --> SeconarySigningCA
|
||||
|
||||
PrimarySigningCA --> LeafCertAgentPrimary
|
||||
PrimarySigningCA --> LeafCertServicePrimary
|
||||
|
||||
SeconarySigningCA --> LeafCertAgentSecondary
|
||||
SeconarySigningCA --> LeafCertServiceSecondary
|
||||
|
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 16 KiB |
Loading…
Reference in New Issue