add HL diagram on the ca generation sequence

2021-07-08 16:07:23 -04:00 · 2021-07-08 16:07:23 -04:00 · 440db2985a
parent 79f4d53079
commit 440db2985a
3 changed files with 52 additions and 2 deletions
--- a/docs/service-mesh/ca/README.md
+++ b/docs/service-mesh/ca/README.md
@ -7,8 +7,14 @@ services and client agents (via auto-encrypt and auto-config).

 ### High level overview

- we can start with the mind map
- high level explaination of what are the features that are involved in CA (mesh/connect, auto encrypt)
+In Consul the leader is responsible for handling of the CA management. 
+When a leader election happen, and the elected leader do not have any root CA available it will start a process of creating a set of CA certificate.
+Those certificates will use to authenticate/encrypt communication between services (service mesh) or between `Consul client agent` (auto-encrypt/auto-config). This process is described in the following diagram:
+![CA creation](./hl-ca-overview.svg)
+
+<sup>[source](./hl-ca-overview.mmd)</sup>
+
+- high level explanation of what are the features that are involved in CA (mesh/connect, auto encrypt)
 - add all the func that are involved in the CA operations
 - relationship between the different certs

--- a/docs/service-mesh/ca/hl-ca-overview.mmd
+++ b/docs/service-mesh/ca/hl-ca-overview.mmd
@ -0,0 +1,43 @@
+graph TD
+    subgraph "Primary DC"
+        leaderP["Leader"]
+        rootCAI["Root CA "]
+        rootCA["Root CA "]
+        Provider["Consul/AWS providers"]
+        IntermediateProvider["Vault provider"]
+        intermediateCAP["Intermediate CA "]
+        leafP["Leaf certificates"]
+    end
+
+    subgraph "Secondary DC"
+        leaderS["Leader"]
+        intermediateCAS["Intermediate CA"]
+        leafS["Leaf certificates"]
+        ProviderS["Consul/AWS/Vault providers"]
+    end
+
+    consulCAS["Consul client Agents"]
+    servicesS["Mesh services"]
+
+    consulCAP["Consul client Agents"]
+    servicesP["Mesh services"]
+    
+    leaderP -->|use|Provider
+    leaderP-->|use|IntermediateProvider
+    Provider--> |fetch/self sign|rootCA
+    IntermediateProvider --> |fetch/self sign|rootCAI 
+    rootCAI -->|sign| intermediateCAP
+    intermediateCAP -->|sign| leafP
+    rootCA -->|sign| leafP
+
+    leaderS -->|use| ProviderS
+    ProviderS --> |generate csr| intermediateCAS
+    rootCA -->|sign| intermediateCAS
+    rootCAI -->|sign| intermediateCAS
+    intermediateCAS --> |sign| leafS
+
+    leafS -->|auth/encrypt| servicesS
+    leafS -->|auth/encrypt| consulCAS
+    leafP -->|auth/encrypt| servicesP
+    leafP -->|auth/encrypt| consulCAP
+
--- a/docs/service-mesh/ca/hl-ca-overview.svg
+++ b/docs/service-mesh/ca/hl-ca-overview.svg