docs improvement

syedhaseebahmed · syedhaseebahmed · commit 7a268287ea38 · 2026-04-21T18:44:26.000+05:30
diff --git a/docs/deploy-guide/components/nautobot-worker.md b/docs/deploy-guide/components/nautobot-worker.md
@@ -173,9 +173,11 @@ The ExternalSecret on the site cluster combines these into a single
 `tls.key`, and `ca.crt`. This secret is mounted into worker pods at
 `/etc/nautobot/mtls/`.
 
-Note: if your secrets provider stores PEM data with `\r\n` line endings,
-the ExternalSecret template must strip carriage returns
-(`| replace "\r" ""`) or OpenSSL will fail to parse the certificates.
+Note: if your secrets provider stores PEM data with `\r\n` line endings
+or concatenates multiple PEM blocks in a single field, use the
+[`filterPEM`](https://external-secrets.io/latest/guides/templating/#filter-pem-blocks)
+template function to extract specific block types. `filterPEM` handles
+carriage-return stripping automatically.
 
 ## Adding a New Site
 
@@ -298,16 +300,9 @@ spec:
       engineVersion: v2
       type: kubernetes.io/tls
       data:
-        tls.crt: >-
-          {{ .client_password
-             | regexFind "-----BEGIN CERTIFICATE-----[\\s\\S]*?-----END CERTIFICATE-----"
-             | replace "\r" "" }}
-        tls.key: >-
-          {{ .client_password
-             | regexFind "-----BEGIN EC PRIVATE KEY-----[\\s\\S]*?-----END EC PRIVATE KEY-----"
-             | replace "\r" "" }}
-        ca.crt: >-
-          {{ .ca_password | replace "\r" "" }}
+        tls.crt: '{{ .client_password | filterPEM "CERTIFICATE" }}'
+        tls.key: '{{ .client_password | filterPEM "EC PRIVATE KEY" }}'
+        ca.crt: '{{ .ca_password | filterPEM "CERTIFICATE" }}'
   dataFrom:
     - extract:
         key: "<client-cert-credential-id>"
@@ -325,9 +320,10 @@ spec:
 
 {% endraw %}
 
-The `replace "\r" ""` strips carriage returns that some secrets
-providers add to PEM data. Without this, OpenSSL will fail to parse
-the certificates.
+The [`filterPEM`](https://external-secrets.io/latest/guides/templating/#filter-pem-blocks)
+function extracts PEM blocks by type and strips carriage returns
+automatically. Pass the PEM block type without the `BEGIN`/`END`
+markers (e.g. `"CERTIFICATE"`, `"EC PRIVATE KEY"`, `"PRIVATE KEY"`).
 
 ### Step 4: Create the kustomization
 
@@ -534,8 +530,11 @@ operator guide.
 
 - **PEM data with carriage returns.** Some secrets providers store text
   with `\r\n` line endings. PEM certificates with `\r` characters will
-  fail OpenSSL parsing with `[SSL] PEM lib`. The ExternalSecret template
-  must strip carriage returns using `| replace "\r" ""`.
+  fail OpenSSL parsing with `[SSL] PEM lib`. Use the
+  [`filterPEM`](https://external-secrets.io/latest/guides/templating/#filter-pem-blocks)
+  template function to extract PEM blocks by type -- it handles
+  carriage-return stripping automatically. Avoid manual `regexFind` +
+  `replace "\r" ""` patterns.
 
 - **ExternalSecret format depends on your secrets provider.** The
   ExternalSecret for the mTLS client cert on site clusters must produce
diff --git a/docs/operator-guide/nautobot-celery-queues.md b/docs/operator-guide/nautobot-celery-queues.md
@@ -209,10 +209,8 @@ To confirm a site worker is consuming from the correct queue:
 
 ```bash
 # Check the CELERY_TASK_QUEUES env var in the running pod
-kubectl get deploy -n nautobot \
-  -l app.kubernetes.io/component=nautobot-celery-rax-dev \
-  -o jsonpath='{.items[0].spec.template.spec.containers[0].env}' \
-  | python3 -m json.tool | grep -A1 CELERY_TASK_QUEUES
+kubectl -n nautobot get deploy nautobot-worker-celery-rax-dev \
+            -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="CELERY_TASK_QUEUES")].value}'
 
 # Check worker logs for the queue binding
 kubectl logs -n nautobot \
diff --git a/docs/operator-guide/nautobot-mtls-certificate-renewal.md b/docs/operator-guide/nautobot-mtls-certificate-renewal.md
@@ -99,11 +99,7 @@ Check certificate status on the global cluster:
 
 ```bash
 # List all mTLS client certificates and their expiry
-kubectl get certificate -n nautobot -o custom-columns=\
-NAME:.metadata.name,\
-READY:.status.conditions[0].status,\
-EXPIRY:.status.notAfter,\
-RENEWAL:.status.renewalTime
+kubectl get certificate -n nautobot -o custom-columns='NAME:.metadata.name,READY:.status.conditions[0].status,EXPIRY:.status.notAfter,RENEWAL:.status.renewalTime'
 
 # Check a specific site's certificate
 kubectl describe certificate nautobot-mtls-client-<site> -n nautobot
diff --git a/docs/operator-guide/nautobot.md b/docs/operator-guide/nautobot.md
@@ -156,17 +156,24 @@ Then force a CNPG reconcile (see above).
 ### Restarting CNPG Pods
 
 If the CNPG pods have not picked up updated certificate secrets (e.g.
-`client-ca.crt` still shows the old CA), restart them one at a time:
+`client-ca.crt` still shows the old CA), use the `cnpg` kubectl plugin
+to perform a rolling restart:
 
 ```bash
-kubectl delete pod -n nautobot nautobot-cluster-2
-# wait for ready
-kubectl delete pod -n nautobot nautobot-cluster-3
-# wait for ready
-kubectl delete pod -n nautobot nautobot-cluster-1
+kubectl cnpg restart nautobot-cluster -n nautobot
+```
+
+This performs a rolling restart of all instances, handling replica/primary
+ordering automatically and waiting for each pod to be ready before
+proceeding.
+
+If you only need pods to reload configuration (e.g. updated `pg_hba`
+or PostgreSQL parameters) without a full restart:
+
+```bash
+kubectl cnpg reload nautobot-cluster -n nautobot
 ```
 
-Start with replicas, then the primary, to minimize downtime.
 
 ### pg_hba Behavior
 
