Merge pull request #148 from HarperDB/CORE-2618

add docs for revoked certs

Author: DavidCockerill

docs/deployments/configuration.md

@@ -212,6 +212,10 @@ An array of routes to connect to other nodes. Each element in the array can be e
 
 Replication will attempt to catch up on all remote data upon setup. To start replication from a specific date, set this property.
 
+`revokedCertificates` - _Type_: array;
+
+An array of serial numbers of revoked certificates. If a connection is attempted with a certificate that is in this list, the connection will be rejected.
+
 ```yaml
 replication:
   copyTablesToCatchUp: true
@@ -221,6 +225,9 @@ replication:
     - hostname: server-three # define a hostname and port
       port: 9930
       startTime: 2024-02-06T15:30:00Z
+      revokedCertificates:
+        - 1769F7D6A
+        - QA69C7E2S
 ```
 
 `port` - _Type_: integer; 

docs/developers/operations-api/clustering.md

@@ -15,6 +15,7 @@ _Operation is restricted to super_user roles only_
 * verify_tls _(optional)_ - a boolean which determines if the TLS certificate should be verified. This will allow the HarperDB default self-signed certificates to be accepted. Defaults to `true`
 * authorization _(optional)_ - an object or a string which contains the authorization information for the node being added. If it is an object, it should contain `username` and `password` fields. If it is a string, it should use HTTP `Authorization` style credentials
 * retain_authorization _(optional)_ - a boolean which determines if the authorization credentials should be retained/stored and used everytime a connection is made to this node. If `true`, the authorization will be stored on the node record. Generally this should not be used, as mTLS/certificate based authorization is much more secure and safe, and avoids the need for storing credentials. Defaults to `false`.
+* revoked_certificates _(optional)_ - an array of revoked certificates serial numbers. If a certificate is revoked, it will not be accepted for any connections.
 * subscriptions _(optional)_ - The relationship created between nodes. If not provided a fully replicated cluster will be setup. Must be an object array and include `database`, `table`, `subscribe` and `publish`:
   * database - the database to replicate
   * table - the table to replicate
@@ -52,6 +53,7 @@ _Note: will attempt to add the node if it does not exist_
 
 * operation _(required)_ - must always be `update_node`
 * hostname _(required)_ - the `hostname` of the remote node you are updating
+* revoked_certificates _(optional)_ - an array of revoked certificates serial numbers. If a certificate is revoked, it will not be accepted for any connections.
 * subscriptions _(required)_ - The relationship created between nodes. Must be an object array and include `database`, `table`, `subscribe` and `publish`:
   * database - the database to replicate from
   * table - the table to replicate from

docs/developers/replication/README.md

@@ -144,6 +144,32 @@ You can also provide credentials in HTTP Authorization format (Basic auth, Token
 
 Additionally, you can use `set_node` as an alias for the `add_node` operation if you prefer.
 
+#### Revoking Certificates
+
+Certificates used in replication can be revoked by using the certificate serial number and either the `revoked_certificates` attribute in the `hdb_nodes` system table or route config in `harperdb-config.yaml`.
+
+To utilize the `revoked_certificates` attribute in the `hdb_nodes` table, you can use the `add_node` or `update_node` operation to add the certificate serial number to the `revoked_certificates` array. For example:
+
+```json
+{
+  "operation": "update_node",
+  "hostname": "server-two",
+  "revoked_certificates": ["1769F7D6A"]
+}
+```
+
+To utilize the replication route config in `harperdb-config.yaml`, you can add the certificate serial number to the `revokedCertificates` array. For example:
+
+```yaml
+replication:
+  routes:
+    - hostname: server-three
+      port: 9930
+      revokedCertificates:
+        - 1769F7D6A
+        - QA69C7E2S
+```
+
 #### Removing Nodes
 
 Nodes can be removed from the cluster using the [`remove_node` operation](../operations-api/clustering.md). This will remove the node from the cluster, and stop replication to and from the node. For example: