Skip to content

docs(icp): update ICP docs to reflect current configuration, UI, and behavior#555

Open
itsvishwa wants to merge 5 commits into
wso2:mainfrom
itsvishwa:docs/icp-revamp
Open

docs(icp): update ICP docs to reflect current configuration, UI, and behavior#555
itsvishwa wants to merge 5 commits into
wso2:mainfrom
itsvishwa:docs/icp-revamp

Conversation

@itsvishwa

@itsvishwa itsvishwa commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Purpose

Fix missing configuration steps, incorrect UI labels, and outdated behavior descriptions across multiple ICP management pages.
resolves https://github.com/wso2-enterprise/integration-engineering/issues/1713

Approach

  • encrypt-secrets.md: Rewrote as a 5-step guide; added missing keystore generation and cipher tool configuration steps, without which the cipher tool cannot be used.
  • Corrected UI labels, table entries, and behavior descriptions across access-control, manage-environments, manage-integrations, manage-projects, manage-runtimes, reverse-proxy, default-user-store, and ldap-user-store pages.

Summary by CodeRabbit

Summary by CodeRabbit

  • Documentation
    • Updated ICP management guides to align with current console labels, table columns, and empty-state messaging (projects, environments, runtimes, integrations).
    • Added/clarified guidance for account recovery, including a new “Delete user” action.
    • Refined “Encrypt Secrets” instructions, including supported encrypted fields, safer examples, and startup decryption behavior.
    • Revised setup docs for the built-in user store, external credentials database initialization, LDAP user store flow, and reverse-proxy backend defaults/required restart wording.

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@itsvishwa, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 47 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a0e6b0a5-57b1-4d89-904f-ccdeceae7a1c

📥 Commits

Reviewing files that changed from the base of the PR and between d96387a and 30f8cc8.

📒 Files selected for processing (1)
  • en/docs/manage/icp/manage-runtimes.md
📝 Walkthrough

Walkthrough

This PR updates ICP documentation for secret encryption, user-store setup, management console labels and table descriptions, and reverse-proxy backend endpoint wording.

Changes

Secret encryption documentation

Layer / File(s) Summary
Encrypt workflow setup
en/docs/manage/icp/encrypt-secrets.md
The intro, encryptable-field wording, keystore generation steps, cipher-tool setup, and ciphertext reference example are rewritten.
Startup keystore configuration
en/docs/manage/icp/encrypt-secrets.md
The startup-decryption section adds [icp_server.utils] keystore settings, environment-variable overrides, and revised decryption wording.

User store setup documentation

Layer / File(s) Summary
Default user store setup
en/docs/manage/icp/user-stores/default-user-store.md
The built-in user-store overview, external-database steps, PostgreSQL example, and deployment.toml placeholders are updated.
LDAP user store setup
en/docs/manage/icp/user-stores/ldap-user-store.md
The LDAP setup flow is renumbered and reformatted, and the super-admin login behavior wording is updated.

ICP management walkthrough docs

Layer / File(s) Summary
Console walkthrough wording updates
en/docs/manage/icp/access-control.md, en/docs/manage/icp/manage-*.md
The management docs update action labels, column lists, empty-state text, and log and metrics descriptions across the ICP console pages.
Backend endpoint defaults
en/docs/manage/icp/reverse-proxy.md
The reverse-proxy backend endpoint note now states the startup propagation behavior and restart requirement.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • wso2/docs-integrator#532: Updates the same reverse-proxy backend endpoint documentation in en/docs/manage/icp/reverse-proxy.md.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is largely incomplete; it only includes Purpose and Approach and omits most required template sections. Add the missing template sections: Goals, User stories, Release note, Documentation, Tests, Security checks, and other applicable fields.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: updating ICP docs to match current configuration, UI, and behavior.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
en/docs/manage/icp/encrypt-secrets.md (1)

136-157: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Make the Step 4 TOML example pasteable.

The first half of the example shows $secret{...} assignments without the enclosing [icp_server.*] sections, so copying this block verbatim would place those keys at the TOML root. Either keep the original section headers around the reference values or mark the snippet as illustrative instead of copy/paste-ready.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/docs/manage/icp/encrypt-secrets.md` around lines 136 - 157, The Step 4
TOML example is not pasteable as written because the `$secret{...}` reference
assignments appear without their enclosing `[icp_server.secrets]` and
`[icp_server.storage]` section headers, which would place them at the TOML root
if copied verbatim. Update the example in the encrypt-secrets doc so each
reference block keeps the same section context as the ciphertext blocks, or
otherwise clearly label it as illustrative only; use the existing
`[icp_server.secrets]`, `[icp_server.storage]`, and
`[icp_server.storage.secrets]` sections as the anchors for the fix.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@en/docs/manage/icp/encrypt-secrets.md`:
- Around line 165-190: Clarify the note in encrypt-secrets.md so it
distinguishes path resolution from credential matching: in the ICP keystore
setup section, update the guidance near the deployment.toml example and the
`cipherKeystorePath`/`cipherKeystoreAlias` entries to say the keystore file path
only needs to resolve to the same file, while `cipherKeystoreAlias`,
`cipherKeystorePassword`, and `cipherPrivateKeyPassword` must exactly match the
values from `cipher-standalone-config.properties`. Keep the environment variable
note consistent with this distinction.

In `@en/docs/manage/icp/manage-integrations.md`:
- Around line 114-117: The Most Used APIs bullet in the documentation no longer
mentions the error-count field, which is inconsistent with the observability
description. Update the “Most Used APIs” entry in the manage-integrations doc to
include error count alongside per-endpoint request counts and average response
times, keeping the wording aligned with the related APIs observability section.

In `@en/docs/manage/icp/manage-runtimes.md`:
- Around line 46-47: Update the empty-state text in the secrets panel
documentation to reflect that it now includes both bound and unbound secrets. In
manage-runtimes.md, revise the copy associated with the secrets panel so it no
longer says “No bound secrets...” and instead uses wording that matches an empty
list of all secrets for the environment, keeping the surrounding description in
sync with the secrets panel behavior.

In `@en/docs/manage/icp/reverse-proxy.md`:
- Line 21: The default endpoint wording in the reverse-proxy documentation is
incorrect and should reflect the full path-specific defaults. Update the text
around the settings description so it references the actual default endpoints
used by the console frontend, including the GraphQL, auth, and observability
paths, and adjust the surrounding explanation in the reverse-proxy section to
keep the `deployment.toml` propagation guidance consistent.

---

Outside diff comments:
In `@en/docs/manage/icp/encrypt-secrets.md`:
- Around line 136-157: The Step 4 TOML example is not pasteable as written
because the `$secret{...}` reference assignments appear without their enclosing
`[icp_server.secrets]` and `[icp_server.storage]` section headers, which would
place them at the TOML root if copied verbatim. Update the example in the
encrypt-secrets doc so each reference block keeps the same section context as
the ciphertext blocks, or otherwise clearly label it as illustrative only; use
the existing `[icp_server.secrets]`, `[icp_server.storage]`, and
`[icp_server.storage.secrets]` sections as the anchors for the fix.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c0ef5c0-b5d4-4d3c-9bd5-10c0aef5d339

📥 Commits

Reviewing files that changed from the base of the PR and between 4f8e53f and 4dda4e1.

📒 Files selected for processing (9)
  • en/docs/manage/icp/access-control.md
  • en/docs/manage/icp/encrypt-secrets.md
  • en/docs/manage/icp/manage-environments.md
  • en/docs/manage/icp/manage-integrations.md
  • en/docs/manage/icp/manage-projects.md
  • en/docs/manage/icp/manage-runtimes.md
  • en/docs/manage/icp/reverse-proxy.md
  • en/docs/manage/icp/user-stores/default-user-store.md
  • en/docs/manage/icp/user-stores/ldap-user-store.md

Comment thread en/docs/manage/icp/encrypt-secrets.md
Comment thread en/docs/manage/icp/manage-integrations.md
Comment thread en/docs/manage/icp/manage-runtimes.md Outdated
Comment thread en/docs/manage/icp/reverse-proxy.md Outdated
@github-actions

Copy link
Copy Markdown

Broken links, images & orphan pages

Passing — no broken links or images found.

Links/images come from one crawl of the production build (baseUrl-aware). Orphans are docs not referenced by sidebars.ts.

Summary

  • Broken links & images — total 0 · 🆕 introduced 0 · 📄 already on main 0
  • Orphan pages — total 8 · 🆕 introduced 0 · 📄 already on main 8

Broken links & images

Introduced by this PR

No new broken link(s)/image(s) introduced by this PR. ✅

Already on main — 0 total

None.

Orphan pages

Introduced by this PR

No new orphan page(s) introduced by this PR. ✅

Already on main — 8 total

Already present on the base branch (not caused by this PR):

Show 8
  • docs/deploy-operate/observe/datadog-integration
  • docs/deploy-operate/observe/elastic-stack-elk
  • docs/deploy-operate/observe/metrics-prometheus-grafana
  • docs/deploy-operate/observe/opensearch-integration
  • docs/deploy-operate/observe/recipe-elk-stack
  • docs/deploy-operate/observe/recipe-kubernetes-production
  • docs/deploy-operate/observe/recipe-local-development
  • docs/deploy-operate/observe/recipe-opensearch-setup

@itsvishwa

Copy link
Copy Markdown
Contributor Author

Please hold off on merging this PR until issue #1779 (wso2/product-integrator#1779) is resolved. Once that's done, we'll need to incorporate the related SSO configuration documentation changes into this PR before it goes in.

@tharindu-nw

Copy link
Copy Markdown
Contributor

Once that's done, we'll need to incorporate the related SSO configuration documentation changes into this PR before it goes in

We cannot add the new callback path to the documentation until after the next release because the users will not have the updated pack

@itsvishwa

Copy link
Copy Markdown
Contributor Author

Once that's done, we'll need to incorporate the related SSO configuration documentation changes into this PR before it goes in

We cannot add the new callback path to the documentation until after the next release because the users will not have the updated pack

Sure, then let's handle the SSO config doc separately.

2. Authenticates the user by attempting an LDAP bind with their DN and password.
3. Reads the user's group memberships from the directory.
4. If any group matches a configured admin role, the user is granted ICP super-admin **on first login** (by adding them to the built-in *Super Admins* group).
4. If any group matches a configured admin role, the user is granted ICP super-admin (by adding them to the built-in *Super Admins* group). This happens only on the user's **first login** and is not re-evaluated on subsequent logins.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tharindu-nw Is this the correct behavior?

Comment thread en/docs/manage/icp/encrypt-secrets.md Outdated
@Dilhasha Dilhasha requested a review from tharindu-nw June 26, 2026 04:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants