Skip to content

docs: fix mermaid edge label and document wildcardSecretName for v1.5#615

Open
Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
mainfrom
docs/fix-mermaid-edge-label-and-wildcard-secret-name
Open

docs: fix mermaid edge label and document wildcardSecretName for v1.5#615
Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
mainfrom
docs/fix-mermaid-edge-label-and-wildcard-secret-name

Conversation

@lexfrei

@lexfrei Aleksei Sviridkin (lexfrei) commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

The traffic-path flowchart on the Gateway API page does not render. The edge label CM -.->|issues Certificate(s)| GW contains unquoted parentheses inside a pipe-delimited label, which Mermaid's parser rejects, so the whole flowchart fails — the diagram is simply absent from the page. Quoting the label fixes it and matches the convention already used by every other edge label in these docs (see the -->|"L2 (ARP) or BGP"| S1 labels on the networking architecture page). The same line is present in both the v1.5 and the next snapshot, so both are fixed.

Verified by rendering rather than by inspection: run through mermaid's own renderer, the current version throws and produces no SVG at all, while the quoted version produces the full diagram. A Hugo build cannot catch this — the fenced block is emitted verbatim and parsed client-side in the browser, so the build stays green either way.

Separately, the v1.5 platform-package reference is missing the row for publishing.certificates.wildcardSecretName. The option genuinely ships in v1.5 and the v1.5 release blog post describes the feature, but the reference table jumps straight from the DNS-01 rows to publishing.proxyProtocol. The row is already present in the next docs, so only the v1.5 snapshot was stale. The wording is adapted from the next row, with the cross-reference to publishing.certificates.wildcard removed — that key does not exist in v1.5.

Summary by CodeRabbit

  • Documentation
    • Updated Gateway API traffic diagrams in the latest and v1.5 documentation for clearer certificate flow labeling.
    • Added documentation for configuring an existing wildcard TLS Secret for platform publishing.
    • Clarified Secret requirements, hostname coverage, and how this setting affects ACME certificate issuance.

The Gateway API traffic-path flowchart failed to render: an edge label
contained unquoted parentheses, which Mermaid's parser rejects. Quote it,
matching the convention used by every other edge label in these docs.

The v1.5 platform-package reference was also missing the row for
publishing.certificates.wildcardSecretName, an option that ships in v1.5.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 33ec767
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a5612af726a930008008ef5
😎 Deploy Preview https://deploy-preview-615--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Updated Gateway API Mermaid diagrams with quoted edge labels and added documentation for configuring an existing wildcard TLS Secret through the platform package publishing settings.

Changes

Gateway documentation

Layer / File(s) Summary
Mermaid traffic path labels
content/en/docs/next/networking/gateway-api.md, content/en/docs/v1.5/networking/gateway-api.md
Quoted the cert-manager-to-Gateway issues Certificate(s) labels in both diagrams.
Wildcard Secret configuration reference
content/en/docs/v1.5/operations/configuration/platform-package.md
Added publishing.certificates.wildcardSecretName documentation, including Secret requirements and fallback ACME behavior.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • cozystack/website#588: Documents the same publishing.certificates.wildcardSecretName configuration area.

Suggested reviewers: myasnikovdaniil, lllamnyp

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main documentation changes: fixing the Mermaid label and adding the v1.5 wildcardSecretName entry.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/fix-mermaid-edge-label-and-wildcard-secret-name

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the documentation by quoting a label in a Mermaid diagram in gateway-api.md (both next and v1.5 versions) and adding documentation for the publishing.certificates.wildcardSecretName parameter in platform-package.md. Feedback on the documentation change suggests wrapping the <root-host> placeholders in backticks to prevent them from being parsed as HTML tags, and renaming them to <host> for consistency with other parameters.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

| `publishing.certificates.dns01.rfc2136.tsigAlgorithm` | `"HMACSHA256"` | TSIG HMAC algorithm. |
| `publishing.certificates.dns01.rfc2136.secretName` | `""` | Secret name holding the TSIG key material. Required when `provider=rfc2136`. |
| `publishing.certificates.dns01.rfc2136.secretKey` | `"tsig-secret-key"` | Key inside the Secret holding the TSIG key. |
| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The placeholders <root-host> are not wrapped in backticks. In Markdown, unescaped angle brackets like <root-host> can be interpreted as HTML tags by some parsers, causing them to be omitted from the rendered output. Additionally, using <host> instead of <root-host> is more consistent with the publishing.host parameter defined earlier in this table.

Here is the suggested replacement:

| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<host>` and `<host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). |

@lexfrei Aleksei Sviridkin (lexfrei) changed the title docs: fix mermaid edge label and document wildcardSecretName for v1.5 docs: fix unrenderable diagram, document wildcardSecretName, carry Harbor prerequisites forward Jul 14, 2026
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the docs/fix-mermaid-edge-label-and-wildcard-secret-name branch from 858f8de to 33ec767 Compare July 14, 2026 10:42
@lexfrei Aleksei Sviridkin (lexfrei) changed the title docs: fix unrenderable diagram, document wildcardSecretName, carry Harbor prerequisites forward docs: fix mermaid edge label and document wildcardSecretName for v1.5 Jul 14, 2026
@lexfrei Aleksei Sviridkin (lexfrei) marked this pull request as ready for review July 14, 2026 10:47

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/v1.5/operations/configuration/platform-package.md`:
- Line 83: Update the v1.5 documentation entry for
publishing.certificates.wildcardSecretName to state that it takes precedence
over publishing.certificates.wildcard when both are configured and disables ACME
issuance. Keep the existing Secret requirements and empty-value behavior intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3b0067d6-99e0-416d-8530-51acedb42113

📥 Commits

Reviewing files that changed from the base of the PR and between d6f0c10 and 33ec767.

📒 Files selected for processing (3)
  • content/en/docs/next/networking/gateway-api.md
  • content/en/docs/v1.5/networking/gateway-api.md
  • content/en/docs/v1.5/operations/configuration/platform-package.md

| `publishing.certificates.dns01.rfc2136.tsigAlgorithm` | `"HMACSHA256"` | TSIG HMAC algorithm. |
| `publishing.certificates.dns01.rfc2136.secretName` | `""` | Secret name holding the TSIG key material. Required when `provider=rfc2136`. |
| `publishing.certificates.dns01.rfc2136.secretKey` | `"tsig-secret-key"` | Key inside the Secret holding the TSIG key. |
| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Document precedence over publishing.certificates.wildcard.

The v1.5 entry does not explain which setting wins when both wildcard options are configured, while content/en/docs/next/operations/configuration/platform-package.md explicitly states that wildcardSecretName takes precedence and disables ACME issuance. Keep the v1.5 reference behaviorally consistent.

Proposed wording
 | `publishing.certificates.wildcardSecretName` | `""` | ... Leave empty to keep ACME issuance (`solver` / `issuerName` above).
+When set, this takes precedence over `publishing.certificates.wildcard`; no ACME issuance occurs.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). |
| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above).
When set, this takes precedence over `publishing.certificates.wildcard`; no ACME issuance occurs.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/operations/configuration/platform-package.md` at line
83, Update the v1.5 documentation entry for
publishing.certificates.wildcardSecretName to state that it takes precedence
over publishing.certificates.wildcard when both are configured and disables ACME
issuance. Keep the existing Secret requirements and empty-value behavior intact.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant