digraph {
    grpc -> ca [label="Send CSR gRPC Request"]
    subgraph cluster_istioagent {
        label = "Istio Agent"
        color="orange"
        sds
        SecretManager -> caClient [label="Sign CSR"]
        caClient -> grpc
        grpc -> TokenProvider [dir=none,label="Fetch JWT",color=purple]
        grpc -> cfiles [dir=none,label="Fetch Cert",color=purple]

        sds -> SecretManager [label="Generate certificate"]

10.244.0.156:9402                                HEALTHY                  outbound|9402||cert-manager-istio-csr-metrics.cert-manager.svc.cluster.local
10.244.0.156:6443                                HEALTHY                  outbound|443||cert-manager-istio-csr.cert-manager.svc.cluster.local

digraph {
    envoy -> sds [dir=both, label="SDS"]
    envoy -> xdsproxy  [dir=both, label="ADS"]

    sds -> ca [label="CSR"]

    xdsproxy -> discovery [dir=both,label="ADS"]

    envoy [shape=hexagon, color=purple]

    subgraph cluster_istioagent {
        label = "Istio Agent"
        color="orange"
        sds
        xdsproxy
    }

    subgraph cluster_istiod {
        label = "Istiod"
        color="lightblue"

at two levels. For distributing workload certificates, Envoy will send [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
requests to the agent, causing the agent to submit a CSR to the configured CA (generally Istiod). For other configuration,
Envoy will send [ADS](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration#aggregated-xds-ads)

  repeated CertificateSigningRequest items = 2;
}

// CertificateSigningRequestSpec contains the certificate request.
message CertificateSigningRequestSpec {
  // Base64-encoded PKCS#10 CSR data
  // +listType=atomic
  optional bytes request = 1;

  // Requested signer for the request. It is a qualified name in the form:
  // `scope-hostname.io/name`.
  // If empty, it will be defaulted: