-
Notifications
You must be signed in to change notification settings - Fork 0
/
diagram.dot
75 lines (59 loc) · 4.25 KB
/
diagram.dot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
digraph G {
// rankdir = LR;
subgraph cluster_main {
peripheries=0
spire_server[shape=box,label="SPIRE Server"]
spire_agent[shape=box,label="SPIRE Agent"]
subgraph cluster_clients {
k8s_spiffe_workload_auth_config[shape=box,label="K8s SPIFFE Workload Auth Config"]
k8s_spiffe_workload_jwt_exec_auth[shape=box,label="K8s SPIFFE Workload JWT Exec Auth"]
spiffe_oidc_discovery_provider[shape=box,label="SPIFFE OIDC Discovery Provider"]
}
subgraph cluster_api {
auth_config_yaml[shape=note,label="auth-config.yaml"]
kube_apiserver[shape=box,label="Kubernetes API Server"]
}
kubelet[shape=box,label="Kubelet"]
spire_server -> spire_agent[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>HTTPS</td></tr></table>>]
spire_server -> spire_agent[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identities</td></tr></table>>,color="blue",fontcolor="blue"]
spire_server -> spire_agent[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>JWT & x509 Bundles</td></tr></table>>,color="Red",fontcolor="red"]
spire_agent -> k8s_spiffe_workload_auth_config[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Socket</td></tr></table>>]
spire_agent -> k8s_spiffe_workload_auth_config[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identity</td></tr></table>>,color="blue",fontcolor="blue"]
spire_agent -> k8s_spiffe_workload_auth_config[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>x509 Bundle</td></tr></table>>,color="red",fontcolor="red"]
spire_agent -> spiffe_oidc_discovery_provider[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Socket</td></tr></table>>]
spire_agent -> spiffe_oidc_discovery_provider[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identity</td></tr></table>>,color="blue",fontcolor="blue"]
spire_agent -> spiffe_oidc_discovery_provider[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>JWT Bundle</td></tr></table>>,color="red",fontcolor="red"]
spiffe_oidc_discovery_provider -> kube_apiserver[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>HTTPS</td></tr></table>>]
spiffe_oidc_discovery_provider -> kube_apiserver[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>JWT Bundle</td></tr></table>>,color="red",fontcolor="red"]
k8s_spiffe_workload_auth_config -> auth_config_yaml[dir=both,label="Read / Write"]
k8s_spiffe_workload_auth_config -> auth_config_yaml[label="x509 Bundle",color="red",fontcolor="red"]
auth_config_yaml -> kube_apiserver[dir=back,label="Read"]
auth_config_yaml -> kube_apiserver[label="x509 Bundle",color="red",fontcolor="red"]
kube_apiserver -> kubelet[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>HTTPS</td></tr></table>>]
kube_apiserver -> kubelet[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identity</td></tr></table>>,color="blue",fontcolor="blue"]
spire_agent -> k8s_spiffe_workload_jwt_exec_auth[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Socket</td></tr></table>>]
spire_agent -> k8s_spiffe_workload_jwt_exec_auth[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identity</td></tr></table>>,color="blue",fontcolor="blue"]
k8s_spiffe_workload_jwt_exec_auth -> kubelet[dir=back,label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Execute</td></tr></table>>]
k8s_spiffe_workload_jwt_exec_auth -> kubelet[label=<<table cellpadding="10" border="0" cellborder="0"><tr><td>Identity</td></tr></table>>,color="blue",fontcolor="blue"]
}
subgraph cluster_legend {
label = <<table cellpadding="10" border="0" cellborder="0"><tr><td><b>Legend</b></td></tr></table>>;
node [shape=point]
{
rank=same
d0 [style = invis];
d1 [style = invis];
p0 [style = invis];
p1 [style = invis];
s0 [style = invis];
s1 [style = invis];
o0[style=invis];
}
p0 -> p1 [label="Identity Flow",color=blue,fontcolor=blue]
s0 -> s1 [label="CA Information Flow",color=red,fontcolor=red]
d0 -> d1 [label="Network / OS Call"]
d1 -> p0[style=invis]
p1 -> s0[style=invis]
}
o0 -> spire_server [style=invis]
}