docs: align mTLS skill with service model#7
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughRewrites the SKILL.md recipe to migrate examples and steps from the upstream model to the service model: replaces Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates the a7-recipe-mtls skill documentation to match API7 EE’s current service-backed route model and remove legacy standalone upstream workflows.
Changes:
- Replace legacy
a7 upstream createexamples witha7 service createusing inlineupstream. - Update route examples to use
service_idandpathsinstead ofupstream_idanduri. - Update the declarative config example from
upstreamstoservices, and adjust route fields accordingly.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -132,14 +155,14 @@ EOF | |||
| - `tls.client_key`: Private key for the client certificate. | |||
| - `pass_host`: Set to `"pass"` (default) or `"rewrite"` if upstream expects a specific Host header. | |||
There was a problem hiding this comment.
The field list still documents scheme, tls.client_cert, tls.client_key, and pass_host as top-level keys, but in the updated examples these are nested under the inline upstream object (e.g., upstream.scheme, upstream.tls.client_cert, upstream.pass_host). Update the bullets to match the new service payload structure to avoid copy/paste misconfiguration.
| @@ -297,4 +332,4 @@ routes: | |||
| | Certificate expired | TLS cert past validity date | Rotate certificate with `a7 ssl update` | | |||
| | SNI mismatch | Domain doesn't match `snis` list | Add the domain to the `snis` array | | |||
| | Command failed with 401 | Invalid token | Refresh your token using `a7 context create` | | |||
| | Upstream not found | Different gateway group | Ensure `--gateway-group` matches where resources were created | | |||
| | Service not found | Different gateway group | Ensure `--gateway-group` matches where resources were created | | |||
There was a problem hiding this comment.
This troubleshooting section still references tls.client_cert as if it were a top-level field. In the updated service-based examples, the client cert is configured under the inline upstream (upstream.tls.client_cert / upstream.tls.client_key). Update the reference to match where the setting actually lives in the service payload.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/a7-recipe-mtls/SKILL.md`:
- Around line 136-146: The "nodes" array and inline "tls" PEM in the upstream
definitions are invalid for API7 EE: replace the array-style nodes (e.g., the
[{"host":"secure-backend","port":443,"weight":1}]) with the map format keyed by
"host:port" (e.g., "secure-backend:443": 1) and remove the inline "tls" object
containing "client_cert" and "client_key"; instead upload the client certificate
and key as separate SSL Certificate objects in API7 EE and reference those
certificate IDs in the upstream configuration per API7 workflow. Also fix the
same nodes array issue in Part 1 where "nodes" uses the array form. Ensure no
PEMs remain inline and that only certificate IDs are referenced.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f1bf3408-bdf3-4cca-872b-31d120a3f8d3
📒 Files selected for processing (1)
skills/a7-recipe-mtls/SKILL.md
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/a7-recipe-mtls/SKILL.md`:
- Around line 122-129: Update the sentence "Add an SSL Certificate using the
certificate API7 EE should present to the upstream." to read "Add an SSL
Certificate using the certificate that API7 EE should present to the upstream."
and apply the same grammar fix to the similar occurrences in the block that
describes creating the upstream client SSL certificate and CA certificate (the
paragraph starting with "Create the upstream client SSL certificate and CA
certificate in API7 EE first..."); ensure the word "that" is inserted after
"certificate" wherever the same construction appears.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a3045a6c-0328-4f5a-a993-cd8393e4be89
📒 Files selected for processing (1)
skills/a7-recipe-mtls/SKILL.md
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
skills/a7-recipe-mtls/SKILL.md:88
- The
service createexample usesupstream.nodesas an object map ({"backend:8080": 1}), but the runtime service API/CLI examples in this repo use the array form ([{"host": ..., "port": ..., "weight": ...}]). Update this snippet to use the array form so it matchesa7 service createpayloads used in e2e tests and avoids schema mismatches.
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| type: roundrobin | ||
| scheme: https | ||
| nodes: | ||
| "backend:443": 1 |
There was a problem hiding this comment.
In the Config Sync example, services[].upstream.nodes is still shown as a {"host:port": weight} map. If services.upstream.nodes is intended to mirror the runtime service payloads used by a7 service create (and e2e tests), switch this to the array form (- host: ...\n port: ...\n weight: ...) for consistency and to reduce confusion.
| "backend:443": 1 | |
| - host: backend | |
| port: 443 | |
| weight: 1 |
| "upstream": { | ||
| "type": "roundrobin", | ||
| "scheme": "https", | ||
| "nodes": { | ||
| "secure-backend:443": 1 | ||
| }, |
There was a problem hiding this comment.
This service create example also formats upstream.nodes as a map ({"secure-backend:443": 1}), but a7 service create examples/tests use the array node format with explicit host/port/weight. Consider switching the snippet to the array form to ensure it’s accepted by the service API.
| "nodes": { | ||
| "internal-service:443": 1 | ||
| }, |
There was a problem hiding this comment.
Same issue here: upstream.nodes is shown as a map, but service payloads in this repo use the array node format for a7 service create. Update this snippet to use the array form to prevent copy/paste failures.
| "nodes": { | |
| "internal-service:443": 1 | |
| }, | |
| "nodes": [ | |
| { | |
| "host": "internal-service", | |
| "port": 443, | |
| "weight": 1 | |
| } | |
| ], |
Summary
a7 upstream createusage ina7-recipe-mtlswitha7 service create.upstream_id/urito currentservice_id/pathsmodel.upstreamstoservices.Validation
make validate-skillsmake test-skillsgit diff --checkFixes review feedback from #5 (comment)
Summary by CodeRabbit