docs(migration): expand guide on TLS nuances

[Timofei Larkin (lllamnyp)]

Summary by CodeRabbit

• Documentation
  • Expanded the migration guide with a new pre---apply TLS preparation warning clarifying that dry-run coverage is partial.
  • Updated TLS guidance to reflect CA location handling changes and the required certificate SAN/DNS coverage for both adopted legacy members and replacement members, including the “mixed window” where both domains must appear.
  • Added emphasis on wildcard SAN requirements, guidance on a subtle CR/quorum degradation risk, and concrete etcdctl validation steps with the relevant x509 error signature.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2369b822-138e-4160-8f64-df878d2eb2f7

📥 Commits

Reviewing files that changed from the base of the PR and between 8699ea5 and e5fd25c.

📒 Files selected for processing (1)

• docs/migration.md

---

📝 Walkthrough

Walkthrough

Migration docs add a pre-apply TLS warning and replace the TLS section with detailed guidance on CA Secret handling, SAN/DNS coverage for adopted and replacement members (mixed-window), wildcard SAN requirements, silent failure modes, and etcdctl validation commands.

Changes

TLS Migration Documentation

Layer / File(s)	Summary
Pre-apply TLS warning docs/migration.md	A brief warning before --apply states dry-run does not fully validate CA placement and replacement-member SAN coverage, and points readers to the TLS section.
Expanded TLS migration section docs/migration.md	Replaces TLS text with expanded guidance: operator reads ca.crt from member Secret, required SAN/DNS coverage for adopted (legacy headless) and replacement/native members including mixed-window both-domains requirement, wildcard SAN necessity with enumerated-SAN failure example, a described silent CR-status/quorum failure mode, and explicit etcdctl validation commands plus the x509 error signature for missing native-domain SANs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through docs with careful care,
Warned before apply, so operators prepare,
Wildcard SANs sing where pods may roam,
etcdctl proves the certs at home,
A tidy migration, soft as foam.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: expanding the migration guide documentation with additional TLS information and nuances.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/expand-tls-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the migration documentation in docs/migration.md to provide detailed guidance on TLS preparation, including CA locations, SAN coverage requirements, and the necessity of wildcard certificates to avoid silent member replacement failures. The review feedback suggests minor readability improvements, such as adding a missing comma and rephrasing a repetitive sentence, as well as a critical addition to remind users to configure the necessary TLS environment variables when running etcdctl validation commands.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/migration.md`:
- Around line 277-280: Update the fenced code blocks that contain the etcdctl
commands so they include the shell language tag by changing the opening
triple-backtick fences to ```sh for the blocks that contain "etcdctl endpoint
health --cluster" / "etcdctl endpoint status --cluster -w table" and the
subsequent similar block (also noted at the later block covering the lines
flagged 284-287); ensure both fenced blocks are updated to start with ```sh so
markdownlint MD040 is satisfied and the commands render as shell.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f41d2a8f-3cdc-4bd2-9abc-884c4eb24099

📥 Commits

Reviewing files that changed from the base of the PR and between d7dcf6a and c9ed93c.

📒 Files selected for processing (1)

• docs/migration.md