docs: align production service guide with operator TLS and gRPC behavior#388
docs: align production service guide with operator TLS and gRPC behavior#388
Conversation
Simplify gRPC requirements to match how the cluster is actually wired: HTTP/2 path and built-in keep-alive. Replace generic TLS termination options with the operator model: gRPC TLS passthrough to controller and router, edge termination for HTTP login.
✅ Deploy Preview for jumpstarter-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughThe production service documentation was updated to simplify gRPC TLS configuration guidance by replacing a multi-option termination strategies section with a description of the Jumpstarter operator's specific TLS passthrough approach at the ingress layer, while removing ingress-specific annotations and tuning recommendations. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@python/docs/source/getting-started/installation/service/service-production.md`:
- Line 31: The sentence currently states TLS passthrough unconditionally; update
the wording to avoid implying it's the only supported gRPC TLS mode by saying
the Jumpstarter operator typically or defaults to using TLS passthrough for gRPC
at the ingress/route and explicitly note that routes can also be configured with
grpc.tls.mode: reencrypt (see the router-route.yaml route template) so operators
know re-encrypt is supported; keep the explanation about edge TLS termination
for HTTP login endpoints unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d0a59c90-467c-4782-bf84-8d4e339454f2
📒 Files selected for processing (1)
python/docs/source/getting-started/installation/service/service-production.md
| ```{warning} | ||
| gRPC over HTTP/1.1 is not supported. Ensure your ingress controller supports HTTP/2 and is properly configured for gRPC traffic. | ||
| ``` | ||
| The [Jumpstarter operator](service-operator.md) installs gRPC with **TLS passthrough** at the ingress or route: encrypted traffic is forwarded to the controller and router pods, which terminate TLS. HTTP login endpoints use edge TLS termination instead. |
There was a problem hiding this comment.
Avoid implying passthrough is the only supported gRPC TLS mode.
Current wording reads as unconditional, but OpenShift route templates also allow grpc.tls.mode: reencrypt (controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/router-route.yaml, Line 1-48). Consider “defaults to passthrough” or “typically passthrough” to prevent operator confusion.
Suggested wording tweak
-The [Jumpstarter operator](service-operator.md) installs gRPC with **TLS passthrough** at the ingress or route: encrypted traffic is forwarded to the controller and router pods, which terminate TLS. HTTP login endpoints use edge TLS termination instead.
+The [Jumpstarter operator](service-operator.md) configures gRPC to use **TLS passthrough by default** at the ingress or route: encrypted traffic is forwarded to the controller and router pods, which terminate TLS. HTTP login endpoints use edge TLS termination instead.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| The [Jumpstarter operator](service-operator.md) installs gRPC with **TLS passthrough** at the ingress or route: encrypted traffic is forwarded to the controller and router pods, which terminate TLS. HTTP login endpoints use edge TLS termination instead. | |
| The [Jumpstarter operator](service-operator.md) configures gRPC to use **TLS passthrough by default** at the ingress or route: encrypted traffic is forwarded to the controller and router pods, which terminate TLS. HTTP login endpoints use edge TLS termination instead. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In
`@python/docs/source/getting-started/installation/service/service-production.md`
at line 31, The sentence currently states TLS passthrough unconditionally;
update the wording to avoid implying it's the only supported gRPC TLS mode by
saying the Jumpstarter operator typically or defaults to using TLS passthrough
for gRPC at the ingress/route and explicitly note that routes can also be
configured with grpc.tls.mode: reencrypt (see the router-route.yaml route
template) so operators know re-encrypt is supported; keep the explanation about
edge TLS termination for HTTP login endpoints unchanged.
There was a problem hiding this comment.
good point, but helm support is deprecated
There was a problem hiding this comment.
@mangelajo, thanks for the clarification! If Helm support is deprecated, then the reencrypt option in the Helm chart templates is no longer relevant, and the unconditional "TLS passthrough" wording in the docs is accurate for the current supported deployment path. The suggestion can be disregarded — the existing wording is fine.
✏️ Learnings added
Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter PR: 388
File: python/docs/source/getting-started/installation/service/service-production.md:31-31
Timestamp: 2026-03-26T14:31:04.673Z
Learning: In the jumpstarter-dev/jumpstarter repository, Helm-based deployment (charts under `controller/deploy/helm/`) is deprecated. When reviewing documentation or code changes, do not flag Helm chart configurations (such as `grpc.tls.mode: reencrypt` in router-route.yaml) as conflicting with or constraining the current supported deployment approach.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
🧠 Learnings used
Learnt from: bennyz
Repo: jumpstarter-dev/jumpstarter PR: 320
File: python/packages/jumpstarter-cli/jumpstarter_cli/shell.py:308-341
Timestamp: 2026-03-14T11:11:29.265Z
Learning: In `python/packages/jumpstarter-cli/jumpstarter_cli/shell.py`, the `--tls-grpc` path (`_shell_direct_async`) intentionally does NOT use `ClientConfigV1Alpha1`. It constructs a synthetic config with `allow=[]`, `unsafe=True`, and `use_profiles=False` because this is a direct, controller-free connection mode. Do not flag the absence of a real client config here as an issue.
3 participants
Simplify gRPC requirements to match how the cluster is actually wired: HTTP/2 path and built-in keep-alive. Replace generic TLS termination options with the operator model: gRPC TLS passthrough to controller and router, edge termination for HTTP login.