From 45fbadc02c44205034e8b55050de154fb6d8e345 Mon Sep 17 00:00:00 2001
From: Julien Maffre <42961061+jumaffre@users.noreply.github.com>
Date: Wed, 5 Jan 2022 16:51:45 +0000
Subject: [PATCH] Update node certificate renewal documentation diagram (#3358)

---
 doc/img/node_cert_renewal.svg   |  1 -
 doc/operations/certificates.rst | 33 ++++++++++++++++++++++++++++++---
 doc/research/index.rst          |  6 ++++--
 doc/research/raft-tla.rst       |  4 ++--
 4 files changed, 36 insertions(+), 8 deletions(-)
 delete mode 100644 doc/img/node_cert_renewal.svg
diff --git a/doc/img/node_cert_renewal.svg b/doc/img/node_cert_renewal.svg
deleted file mode 100644
index 59d5bac46..000000000
--- a/doc/img/node_cert_renewal.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg width="1167" height="720" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" overflow="hidden"><defs><clipPath id="clip0"><rect x="0" y="0" width="1167" height="720"/></clipPath></defs><g clip-path="url(#clip0)"><rect x="0" y="0" width="1167" height="719.794" fill="#FFFFFF"/><path d="M171.5 153.123 890.972 153.123 890.972 153.79 171.5 153.789ZM889.638 149.456 897.64 153.456 889.638 157.456Z" fill="#4472C4"/><path d="M177.5 230.101 891.578 230.101 891.578 230.768 177.5 230.767ZM890.243 226.434 898.245 230.434 890.243 234.434Z" fill="#4472C4"/><path d="M177.502 315.077 891.58 319.708 891.576 320.374 177.498 315.743ZM890.269 316.032 898.245 320.084 890.217 324.032Z" fill="#4472C4"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="19" transform="matrix(1 0 0 0.999714 77.8994 152)">Node 0<tspan font-size="19" x="0" y="23.0066">(primary)</tspan><tspan font-size="19" x="0" y="77.022">Node 1</tspan><tspan font-size="19" x="1.88684" y="163.047">Node 2</tspan></text><path d="M171 162.953 421.319 162.954" stroke="#4472C4" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M194 239.931 444.319 239.932" stroke="#4472C4" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M226 330.905 476.319 330.905" stroke="#4472C4" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M100 566.838 199.101 566.838" stroke="#4472C4" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><text fill="#4472C4" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="24" transform="matrix(1 0 0 0.999714 216.546 559)">Initial certificate <tspan font-size="24" x="0" y="29.0083">validity period (24h default, </tspan>cchost<tspan font-size="24" x="343.465" y="29.0083">option)</tspan></text><path d="M362.5 113.468 362.5 373.423" stroke="#00B050" stroke-width="3.00086" stroke-miterlimit="8" stroke-dasharray="12.0034 9.00257" fill="none" fill-rule="evenodd"/><text fill="#70AD47" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="19" transform="matrix(1 0 0 0.999714 224.37 62)">Members open service<tspan font-size="19" x="-105.684" y="23.0066">+ </tspan>set_all_nodes_certificates_validity</text><path d="M362 176.949 864.795 176.95" stroke="#A9D18E" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M362 258.926 864.795 258.926" stroke="#A9D18E" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M362 347.901 864.795 347.901" stroke="#A9D18E" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M100 660.811 199.101 660.811" stroke="#A9D18E" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M430.5 445.039 891.203 445.039 891.203 445.706 430.5 445.706ZM889.867 441.373 897.869 445.373 889.867 449.373Z" fill="#4472C4"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="19" transform="matrix(1 0 0 0.999714 303.064 425)">Node 3<tspan font-size="19" x="0" y="23.0066">joins after </tspan><tspan font-size="19" x="0" y="45.0129">service open</tspan></text><path d="M430 456.87 680.319 456.87" stroke="#4472C4" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M584.5 116.467 584.5 499.747" stroke="#F4B183" stroke-width="3.00086" stroke-miterlimit="8" stroke-dasharray="12.0034 9.00257" fill="none" fill-rule="evenodd"/><text fill="#F4B183" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="19" transform="matrix(1 0 0 0.999714 518.482 61)">Members trust new node 3<tspan font-size="19" x="0" y="23.0066">transition_node_to_trusted</tspan></text><path d="M584 469.866 1086.8 469.866" stroke="#F8CBAD" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><path d="M460 651.814 571.798 651.814" stroke="#F8CBAD" stroke-width="6.00171" stroke-miterlimit="8" fill="none" fill-rule="evenodd"/><text fill="#A9D18E" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="24" transform="matrix(1 0 0 0.999714 209.189 653)">Post service open <tspan font-size="24" x="0" y="29.0083">validity period</tspan><tspan fill="#F4B183" font-size="24" x="383.217" y="-6.00171">New joiner</tspan><tspan fill="#F4B183" font-size="24" x="383.217" y="23.0066">Validity period</tspan></text><rect x="777" y="115.967" width="76" height="271.922" stroke="#EE0000" stroke-width="4.00114" stroke-miterlimit="8" stroke-dasharray="16.0046 12.0034" fill="none"/><text fill="#EE0000" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="19" transform="matrix(1 0 0 0.999714 874.172 52)">/!<tspan font-size="19" x="14.004" y="0">\</tspan><tspan font-size="19" x="0" y="23.0066">Members should issue new </tspan><tspan font-size="19" x="0" y="45.0129">set_node_certificate_validity</tspan><tspan font-size="19" x="0" y="68.0194">proposal before certificate expiry</tspan></text></g></svg>
\ No newline at end of file
diff --git a/doc/operations/certificates.rst b/doc/operations/certificates.rst
index fc8bd232d..7cb5eb6ac 100644
--- a/doc/operations/certificates.rst
+++ b/doc/operations/certificates.rst
@@ -8,12 +8,39 @@ Since 2.x releases, the validity period of certificates is no longer hardcoded.
 Node Certificates
 -----------------
 
-At startup, operators can set the validity period for a node using the ``node_certificate.initial_node_cert_validity_days`` configuration entry. The default value is set to 1 day and it is expected that members will issue a proposal to renew the certificate before it expires, when the service is open. Initial nodes certificates are valid from the current system time when the ``cchost`` executable is launched.
+At startup, operators can set the validity period for a node using the ``node_certificate.initial_validity_days`` configuration entry. The default value is set to 1 day and it is expected that members will issue a proposal to renew the certificate before it expires, when the service is open. Initial nodes certificates are valid from the current system time when the ``cchost`` executable is launched.
 
 The ``start.service_configuration.maximum_node_certificate_validity_days`` configuration entry (defaults to 365 days) can be used to set the maximum allowed validity period for nodes certificates when they are renewed by members. It is used as the default value for the validity period when a node certificate is renewed but the validity period is omitted.
 
 .. tip:: Once a node certificate has expired, clients will no longer trust the node serving their request. It is expected that operators and members will monitor the certificate validity dates with regards to current time and renew the node certificate before expiration. See :ref:`governance/common_member_operations:Renewing Node Certificate` for more details.
 
-The procedure that operators and members should follow is summarised in the following example. A 3-node service is started by operators and the initial certificate validity period is set by ``node_certificate.initial_node_cert_validity_days`` (blue). Before these certificates expire, the service is open by members who renew the certificate for each node, via the ``set_all_nodes_certificate_validity`` proposal action, either standalone or bundled with the existing ``transition_service_to_open`` action (green). When a new node (3) joins the service, members should set the validity period for its certificate when submitting the ``transition_node_to_trusted`` proposal (pale orange). Finally, operators and members should issue a new proposal to renew soon-to-expire node certificates (red).
+The procedure that operators and members should follow is summarised in the following example. A 3-node service is started by operators and the initial certificate validity period is set by ``node_certificate.initial_validity_days`` (grey). Before these certificates expire, the service is open by members who renew the certificate for each node, via the ``set_all_nodes_certificate_validity`` proposal action, either standalone or bundled with the existing ``transition_service_to_open`` action. When a new node (3) joins the service, members should set the validity period for its certificate when submitting the ``transition_node_to_trusted`` proposal. Finally, operators and members should issue a new proposal to renew soon-to-expire node certificates (red).
 
-.. image:: ../img/node_cert_renewal.svg
\ No newline at end of file
+.. mermaid::
+
+    gantt
+
+    dateFormat  MM-DD/HH:mm
+    axisFormat  %d/%m
+    todayMarker off
+
+    section Members
+    Service Open By Members + set_all_nodes_certificate_validity :milestone, 01-01/15:00, 0d
+    Members trust new node 3 (transition_node_to_trusted)        :milestone, 01-03/15:00, 0d
+    Members must renew certs before expiry (set_all_nodes_certificate_validity)              :crit, 01-05/15:00, 1d
+
+    section Node 0
+    Initial Validity Period (24h default): done, 01-01/00:00, 1d
+    Post Service Open Validity Period    : 01-01/15:00, 5d
+
+    section Node 1
+    Initial Validity Period (24h default): done, 01-01/01:00, 1d
+    Post Service Open Validity Period    : 01-01/15:00, 5d
+
+    section Node 2
+    Initial Validity Period (24h default): done, 01-01/02:00, 1d
+    Post Service Open Validity Period    : 01-01/15:00, 5d
+
+    section Node 3
+    Initial Validity Period (24h default)      : done, 01-03/00:00, 1d
+    New Joiner Validity Period                 : 01-03/15:00, 4d
\ No newline at end of file
diff --git a/doc/research/index.rst b/doc/research/index.rst
index 26d515ee6..05b7de25e 100644
--- a/doc/research/index.rst
+++ b/doc/research/index.rst
@@ -2,7 +2,7 @@ Research
 ========
 
 :doc:`TLA+ model of CCF's Raft modifications <raft-tla>`
-  CCF implements some modifications to Raft as it was originally proposed by Ongaro and Ousterhout. Specifically, CCF constrains that only appended entries that were signed by the primary can be committed. Any other entry that has not been globally committed is rolled back. Additionally, the CCF implementation introduced a variant of the reconfiguration that is different from the one proposed by the original Raft paper. In CCF CFT, reconfigurations are  done via one transaction (as described :doc:`here </overview/consensus>`).
+  CCF implements some modifications to Raft as it was originally proposed by Ongaro and Ousterhout. Specifically, CCF constrains that only appended entries that were signed by the primary can be committed. Any other entry that has not been globally committed is rolled back. Additionally, the CCF implementation introduced a variant of the reconfiguration that is different from the one proposed by the original Raft paper. In CCF CFT, reconfigurations are  done via one transaction (as described :doc:`here </overview/consensus/1tx-reconfig>`).
 
   The TLA+ model of CCF's Raft changes can be found in the `CCF GitHub repository <https://github.com/microsoft/CCF/tree/main/tla>`_.
 
@@ -18,8 +18,10 @@ Research
   leverages trust in a consortium of governing members and in a network of replicated hardware-protected execution
   environments to achieve high throughput, low latency, strong integrity and strong confidentiality for application data
   and code executing on the ledger.
-  
+
 .. toctree::
+  :hidden:
+
   raft-tla
   PAC: Practical Accountability for CCF <https://arxiv.org/abs/2105.13116>
   CCF whitepaper <https://github.com/microsoft/CCF/blob/main/CCF-TECHNICAL-REPORT.pdf>
diff --git a/doc/research/raft-tla.rst b/doc/research/raft-tla.rst
index cb206c125..2a339175c 100644
--- a/doc/research/raft-tla.rst
+++ b/doc/research/raft-tla.rst
@@ -1,7 +1,7 @@
 TLA+ model of CCF's Raft modifications
 ======================================
 
-The TLA+ specification models the intended behavior of Raft as it is modified for CCF. Below, we explain several core parts of the specification in more detail. 
+The TLA+ specification models the intended behavior of Raft as it is modified for CCF. Below, we explain several core parts of the specification in more detail.
 
 You can find the full specification in the `CCF GitHub repository <https://github.com/microsoft/CCF/tree/main/tla>`_ and more information on TLA+ `here <http://lamport.azurewebsites.net/tla/tla.html>`_. Several good resources exist online, one good example is `this guide <https://www.learntla.com/introduction/about-this-guide/>`_.
 
@@ -63,7 +63,7 @@ In CCF, the leader periodically signs the latest log prefix. Only these signatur
 Reconfiguration steps
 ---------------------
 
-The one transaction reconfiguration is already described :doc:`here </overview/consensus>`. In the TLA model, a reconfiguration is initiated by the Leader which appends an arbitrary new configuration to its own log. This also triggers a change in the ``Configurations`` variable which keeps track of all running configurations.
+The one transaction reconfiguration is already described :doc:`here </overview/consensus/1tx-reconfig>`. In the TLA model, a reconfiguration is initiated by the Leader which appends an arbitrary new configuration to its own log. This also triggers a change in the ``Configurations`` variable which keeps track of all running configurations.
 
 In the following, this ``Configurations`` variable is then checked to calculate a quorum and to check which nodes should be contacted or received messages from.
 
