docs(platform): document publishing.certificates wildcard options

[Aleksei Sviridkin (lexfrei)]

What this PR does

Document two publishing.certificates.* options in the platform-package value table that were missing from the reference docs.

• publishing.certificates.wildcard (new): opt-in shared wildcard certificate issuance on the default ingress-nginx path. When enabled with a DNS-01 solver it issues one *.<root-host> wildcard for system services instead of a per-host ACME certificate, avoiding Let's Encrypt rate limits at scale. Documented with its default (false), the dns01 / gateway-disabled gating, and the coverage / blast-radius caveat.
• publishing.certificates.wildcardSecretName (pre-existing, previously undocumented): operator-provided wildcard TLS Secret that platform services serve under instead of minting per-host ACME certificates.

Documents the code change in cozystack/cozystack#2988. Part of cozystack/cozystack#2811.

Summary by CodeRabbit

• Documentation
  • Added documentation for new Platform Package Publishing certificate configuration options enabling wildcard certificate support with opt-in capability and custom TLS Secret assignment.
  • Documented wildcard certificate behavior, including precedence rules between configuration options, override conditions, and hostname coverage considerations for tenant and service host patterns.

[netlify]

✅ Deploy Preview for cozystack ready!

Name	Link
🔨 Latest commit	7d02b6d
🔍 Latest deploy log	https://app.netlify.com/projects/cozystack/deploys/6a39bd46d9d9a900086fa059
😎 Deploy Preview	https://deploy-preview-588--cozystack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@lexfrei, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 7 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a77445af-6b35-4a5e-829d-2f65d1598608

📥 Commits

Reviewing files that changed from the base of the PR and between 37fbec8 and 7d02b6d.

📒 Files selected for processing (1)

• content/en/docs/next/operations/configuration/platform-package.md

📝 Walkthrough

Walkthrough

Adds two new rows to the Platform Package "Publishing" configuration reference table: publishing.certificates.wildcard (a boolean for shared DNS-01 wildcard certificates) and publishing.certificates.wildcardSecretName (an operator-provided TLS Secret). The entries document behavior constraints, precedence rules, and coverage caveats.

Changes

Wildcard Certificate Configuration Docs

Layer / File(s)	Summary
Wildcard certificate fields in publishing reference content/en/docs/next/operations/configuration/platform-package.md	Adds documentation rows for publishing.certificates.wildcard and publishing.certificates.wildcardSecretName, covering ignored/overridden scenarios, wildcard hostname caveats, and precedence between the two options.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A bunny hops through config land,
Two new fields added, oh how grand!
Wildcards dance with DNS-01 flair,
TLS Secrets float through the air.
🐇 Caveats noted, precedence clear —
The docs are updated, let us cheer! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: documenting the wildcard certificate configuration options for the platform package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/platform-certificates-wildcard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request updates the platform package configuration documentation by adding descriptions for two new parameters: publishing.certificates.wildcard and publishing.certificates.wildcardSecretName. The review feedback suggests minor wording improvements to clarify that publishing.certificates.wildcard is a boolean setting rather than a "name", and to clarify the relationship between the publishing namespace and publishing.ingressName in the description of publishing.certificates.wildcardSecretName.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In the description for publishing.certificates.wildcard, the phrase "The chosen name" is confusing because this parameter is a boolean (true/false) rather than a name. It would be clearer to refer to "This setting" or "The chosen option" instead.

Suggested change

| `publishing.certificates.wildcard` | `false` | Opt-in shared wildcard certificate on the default ingress-nginx path (`gateway.enabled=false`). When `true` with `solver=dns01` and no `publishing.certificates.wildcardSecretName`, the platform issues one `*.<root-host>` + `<root-host>` `Certificate` via the DNS-01 `ClusterIssuer` and serves it as the ingress controller's default SSL certificate, so system services stop minting a per-host ACME certificate each — avoiding Let's Encrypt rate limits at scale, at parity with the Gateway API path. Ignored on `http01` (cannot issue wildcards) and when `gateway.enabled=true` (the `TenantGateway` controller issues the wildcard there). Coverage caveat: a single-label wildcard does not cover a custom service host outside `*.<root-host>` (e.g. a keycloak `ingress.host` on another domain) or a child tenant's nested host (`<service>.<tenant>.<root-host>`); those services fall back to the default certificate, which would not cover them. The chosen name rides the cluster values channel that child tenants inherit, so this is not root-tenant scoped — only enable it when every exposed host is covered, or supply a covering `publishing.certificates.wildcardSecretName` instead. Off by default so a `dns01` cluster is never switched silently on upgrade. |

| `publishing.certificates.wildcard` | `false` | Opt-in shared wildcard certificate on the default ingress-nginx path (`gateway.enabled=false`). When `true` with `solver=dns01` and no `publishing.certificates.wildcardSecretName`, the platform issues one `*.<root-host>` + `<root-host>` `Certificate` via the DNS-01 `ClusterIssuer` and serves it as the ingress controller's default SSL certificate, so system services stop minting a per-host ACME certificate each — avoiding Let's Encrypt rate limits at scale, at parity with the Gateway API path. Ignored on `http01` (cannot issue wildcards) and when `gateway.enabled=true` (the `TenantGateway` controller issues the wildcard there). Coverage caveat: a single-label wildcard does not cover a custom service host outside `*.<root-host>` (e.g. a keycloak `ingress.host` on another domain) or a child tenant's nested host (`<service>.<tenant>.<root-host>`); those services fall back to the default certificate, which would not cover them. This setting rides the cluster values channel that child tenants inherit, so this is not root-tenant scoped — only enable it when every exposed host is covered, or supply a covering `publishing.certificates.wildcardSecretName` instead. Off by default so a `dns01` cluster is never switched silently on upgrade. |

[Aleksei Sviridkin (lexfrei)]

Reworded to "Enabling it propagates the issued wildcard Secret name through the cluster values channel that child tenants inherit" — it refers to the auto-issued Secret name (set when the flag is on), now stated explicitly rather than "the chosen name". Fixed in 7d02b6d.

[gemini-code-assist]

The phrase "publishing namespace (publishing.ingressName, tenant-root by default)" is slightly confusing because publishing.ingressName is defined elsewhere as the ingress controller name, not a namespace. Clarifying that the namespace matches or is derived from this value would improve readability.

Suggested change

| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (`publishing.ingressName`, `tenant-root` by default), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Takes precedence over `publishing.certificates.wildcard` — when set, no ACME issuance happens. Leave empty to keep ACME issuance. |

| `publishing.certificates.wildcardSecretName` | `""` | Operator-provided wildcard TLS Secret. When set, platform services and the root tenant's ingress/Gateway serve under this pre-existing Secret instead of minting per-host ACME certificates; only the NAME travels through the platform values channel, never the certificate or private key. The Secret must already exist in the publishing namespace (which matches `publishing.ingressName`, `tenant-root` by default), be of type `kubernetes.io/tls`, and cover the served hosts (typically `*.<root-host>` + `<root-host>`). Takes precedence over `publishing.certificates.wildcard` — when set, no ACME issuance happens. Leave empty to keep ACME issuance. |

[Aleksei Sviridkin (lexfrei)]

Reworded to point at the publishing namespace directly: "tenant-root by default — the namespace running the root ingress controller selected by publishing.ingressName". It no longer reads as if publishing.ingressName were itself the namespace. Fixed in 7d02b6d.

[myasnikovdaniil]

Accurate and well-scoped. I cross-checked every documented claim against the chart source on the implementation branch (packages/core/platform/values.yaml, templates/apps.yaml, and packages/extra/ingress/templates/{wildcard-certificate,nginx-ingress}.yaml):

• Key names match exactly — publishing.certificates.wildcard and publishing.certificates.wildcardSecretName, no casing typo.
• Defaults match: wildcard: false, wildcardSecretName: "".
• Gating is correct: issuance only on solver=dns01 + gateway.enabled=false + no BYO secret (apps.yaml computes wildcard-issue exactly this way).
• Precedence is correct: wildcardSecretName wins and suppresses ACME issuance.
• The coverage footgun is real and correctly stated — the issued Certificate's dnsNames are <root-host> + *.<root-host> (single label), so custom/nested hosts fall back to the default cert. Neither overstated nor understated.
• The _cluster-channel / child-tenant blast-radius note and the tenant-root publishing-namespace default both check out.

CI is green (Netlify deploy preview, CodeRabbit, DCO).

Optional nit (non-blocking): the wildcard row describes issuance as "when true with solver=dns01 and no wildcardSecretName" — the fourth gating condition (gateway.enabled=false) is conveyed later in the same cell ("Ignored … when gateway.enabled=true"), so the full condition is present, just split across two sentences. Folding it into one would read a touch cleaner. LGTM.