docs: fix mermaid edge label and document wildcardSecretName for v1.5#615
docs: fix mermaid edge label and document wildcardSecretName for v1.5#615Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
Conversation
The Gateway API traffic-path flowchart failed to render: an edge label contained unquoted parentheses, which Mermaid's parser rejects. Quote it, matching the convention used by every other edge label in these docs. The v1.5 platform-package reference was also missing the row for publishing.certificates.wildcardSecretName, an option that ships in v1.5. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
✅ Deploy Preview for cozystack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughUpdated Gateway API Mermaid diagrams with quoted edge labels and added documentation for configuring an existing wildcard TLS Secret through the platform package publishing settings. ChangesGateway documentation
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the documentation by quoting a label in a Mermaid diagram in gateway-api.md (both next and v1.5 versions) and adding documentation for the publishing.certificates.wildcardSecretName parameter in platform-package.md. Feedback on the documentation change suggests wrapping the <root-host> placeholders in backticks to prevent them from being parsed as HTML tags, and renaming them to <host> for consistency with other parameters.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| | `publishing.certificates.dns01.rfc2136.tsigAlgorithm` | `"HMACSHA256"` | TSIG HMAC algorithm. | | ||
| | `publishing.certificates.dns01.rfc2136.secretName` | `""` | Secret name holding the TSIG key material. Required when `provider=rfc2136`. | | ||
| | `publishing.certificates.dns01.rfc2136.secretKey` | `"tsig-secret-key"` | Key inside the Secret holding the TSIG key. | | ||
| | `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). | |
There was a problem hiding this comment.
The placeholders <root-host> are not wrapped in backticks. In Markdown, unescaped angle brackets like <root-host> can be interpreted as HTML tags by some parsers, causing them to be omitted from the rendered output. Additionally, using <host> instead of <root-host> is more consistent with the publishing.host parameter defined earlier in this table.
Here is the suggested replacement:
| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<host>` and `<host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). |858f8de to
33ec767
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/v1.5/operations/configuration/platform-package.md`:
- Line 83: Update the v1.5 documentation entry for
publishing.certificates.wildcardSecretName to state that it takes precedence
over publishing.certificates.wildcard when both are configured and disables ACME
issuance. Keep the existing Secret requirements and empty-value behavior intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3b0067d6-99e0-416d-8530-51acedb42113
📒 Files selected for processing (3)
content/en/docs/next/networking/gateway-api.mdcontent/en/docs/v1.5/networking/gateway-api.mdcontent/en/docs/v1.5/operations/configuration/platform-package.md
| | `publishing.certificates.dns01.rfc2136.tsigAlgorithm` | `"HMACSHA256"` | TSIG HMAC algorithm. | | ||
| | `publishing.certificates.dns01.rfc2136.secretName` | `""` | Secret name holding the TSIG key material. Required when `provider=rfc2136`. | | ||
| | `publishing.certificates.dns01.rfc2136.secretKey` | `"tsig-secret-key"` | Key inside the Secret holding the TSIG key. | | ||
| | `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). | |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
Document precedence over publishing.certificates.wildcard.
The v1.5 entry does not explain which setting wins when both wildcard options are configured, while content/en/docs/next/operations/configuration/platform-package.md explicitly states that wildcardSecretName takes precedence and disables ACME issuance. Keep the v1.5 reference behaviorally consistent.
Proposed wording
| `publishing.certificates.wildcardSecretName` | `""` | ... Leave empty to keep ACME issuance (`solver` / `issuerName` above).
+When set, this takes precedence over `publishing.certificates.wildcard`; no ACME issuance occurs.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| | `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). | | |
| | `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`tenant-root` by default — the namespace running the root ingress controller selected by `publishing.ingressName`), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Leave empty to keep ACME issuance (`solver` / `issuerName` above). | |
| When set, this takes precedence over `publishing.certificates.wildcard`; no ACME issuance occurs. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/operations/configuration/platform-package.md` at line
83, Update the v1.5 documentation entry for
publishing.certificates.wildcardSecretName to state that it takes precedence
over publishing.certificates.wildcard when both are configured and disables ACME
issuance. Keep the existing Secret requirements and empty-value behavior intact.
The traffic-path flowchart on the Gateway API page does not render. The edge label
CM -.->|issues Certificate(s)| GWcontains unquoted parentheses inside a pipe-delimited label, which Mermaid's parser rejects, so the whole flowchart fails — the diagram is simply absent from the page. Quoting the label fixes it and matches the convention already used by every other edge label in these docs (see the-->|"L2 (ARP) or BGP"| S1labels on the networking architecture page). The same line is present in both the v1.5 and the next snapshot, so both are fixed.Verified by rendering rather than by inspection: run through mermaid's own renderer, the current version throws and produces no SVG at all, while the quoted version produces the full diagram. A Hugo build cannot catch this — the fenced block is emitted verbatim and parsed client-side in the browser, so the build stays green either way.
Separately, the v1.5 platform-package reference is missing the row for
publishing.certificates.wildcardSecretName. The option genuinely ships in v1.5 and the v1.5 release blog post describes the feature, but the reference table jumps straight from the DNS-01 rows topublishing.proxyProtocol. The row is already present in the next docs, so only the v1.5 snapshot was stale. The wording is adapted from the next row, with the cross-reference topublishing.certificates.wildcardremoved — that key does not exist in v1.5.Summary by CodeRabbit