Is there an existing issue for this?
Current Behavior
The chart exposes three separate certificate-related toggles with overlapping names and no explanation of how they relate to each other:
autoGenerateCert — "Automatically generate certificate or not" (default true)internal.autoGenerateCert — "Automatically generate internal certificate or not" (default true)internal.certmanager.enabled — "cert-manager is installed for the internal certificates" (default false)
-
What's the practical difference between the cert(s) governed by autoGenerateCert vs internal.autoGenerateCert? (UI-facing cert vs. inter-component mTLS cert? Something else?)
-
If both internal.autoGenerateCert: true and internal.certmanager.enabled: true are set simultaneously, which one actually generates/manages the internal cert? Does the chart validate this combination, or is it silently undefined behavior depending on template render order?
-
Is there a recommended/supported combination for a typical production setup (e.g. "use cert-manager for internal certs but auto-generate the UI-facing one"), or are these meant to be mutually exclusive?
Expected Behavior
A short explanation (in the README or linked docs) of:
- What each toggle actually controls (which component/connection uses that cert)
- What happens when multiple toggles could apply to the same cert
- A recommended combination for common scenarios (no cert-manager / cert-manager for internal only / fully managed)
Steps To Reproduce
- Open
charts/core/README.md and read the descriptions for autoGenerateCert, internal.autoGenerateCert, and internal.certmanager.enabled in isolation.
- Attempt to answer, from the README alone: which cert does each toggle produce, and what happens if
internal.autoGenerateCert: true and internal.certmanager.enabled: true are both set at once.
- No combination of rows in the table, nor any prose elsewhere in the README, answers this — the three fields are documented independently with no cross-reference.
Environment
- Chart: `neuvector/core`, tag `5.5.3`
- Deployment platform: Harvester host cluster (RKE2-based), via Rancher
- Relevant values in use: `autoGenerateCert: true`, `internal.autoGenerateCert: true`, `internal.certmanager.enabled: false` (chart defaults, not explicitly overridden)
Anything else?
Ran into this while working through ingress/TLS configuration for the manager UI specifically, and wanted to understand whether the same uncertainty applies to internal component certs before assuming a similar setup there.
Is there an existing issue for this?
Current Behavior
The chart exposes three separate certificate-related toggles with overlapping names and no explanation of how they relate to each other:
autoGenerateCert— "Automatically generate certificate or not" (defaulttrue)internal.autoGenerateCert— "Automatically generate internal certificate or not" (defaulttrue)internal.certmanager.enabled— "cert-manager is installed for the internal certificates" (defaultfalse)What's the practical difference between the cert(s) governed by
autoGenerateCertvsinternal.autoGenerateCert? (UI-facing cert vs. inter-component mTLS cert? Something else?)If both
internal.autoGenerateCert: trueandinternal.certmanager.enabled: trueare set simultaneously, which one actually generates/manages the internal cert? Does the chart validate this combination, or is it silently undefined behavior depending on template render order?Is there a recommended/supported combination for a typical production setup (e.g. "use cert-manager for internal certs but auto-generate the UI-facing one"), or are these meant to be mutually exclusive?
Expected Behavior
A short explanation (in the README or linked docs) of:
Steps To Reproduce
charts/core/README.mdand read the descriptions forautoGenerateCert,internal.autoGenerateCert, andinternal.certmanager.enabledin isolation.internal.autoGenerateCert: trueandinternal.certmanager.enabled: trueare both set at once.Environment
Anything else?
Ran into this while working through ingress/TLS configuration for the manager UI specifically, and wanted to understand whether the same uncertainty applies to internal component certs before assuming a similar setup there.