Hi everyone I think I put this in #general but there's also a part of #fleet and #k3s involved in it. Here is a grumpy old man, beginning to desperate on his own mind and the whole Rancher universe. Therefore please apology, for ranting first and then asking for help. But the last couple of weeks, I digged trough fleet, the helm-controller of k3s (which is also part of RKE2, what I'm using here) and some Rancher API stuff to get things working here in a GitOps way. On that way, I strumbled accross some nice features which sometimes haven't been documented at all or their documentation was incomplete (HelmController). Eventually, I had to check the go source to understand the configuration (I'm not a developer). I also stumbled upon features which have been implemented for one use case and have been forgotten for another use case of the same tool (in this case it was Fleet). I saw daunting things in both Rancher API and different CRDs. But what finally blew up my brain was the usage of private CA certificates across all the tools. All the stuff here is TLS secured, and protected by certificates of a private CA. So this is what I have collected so far: • For Rancher Manager, I need to create a

secret

containing the CA certificate as the key

cacerts.pem

• For Fleet, to check out the GitRepo over https, I needed to add the CA certificate as base64 encoded string with the key

caBundle

directly into the `GitRepo`Object • One of those Fleet

GitRepo

contains a Helm installation in that Repos

fleet.yaml

(because HelmController is lacking the feature I need here). To get that helm chart from the internal chart repo, I also need the CA. But this doesn't work with the already existing

caBundle

, I need to add the same CA a second time to my

GitRepo

, that time as a secret reference called

helmSecretName

. That secret needs the key

cacerts

so I can't use the same as for Rancher Manager which needs different key. • I also have

HelmChart

objects from the HelmController. To get the charts here, I have the poorly documented option to use the key

repoCA

which contains the CA not encoded as a literal scalar (I think that's what it is called). After I took a look at the CRD, I also discovered the

repoCAConfigMap

which I wasn't able to find in any documentation. But after reading this go function (https://github.com/k3s-io/helm-controller/blob/master/pkg/controllers/chart/chart.go#L749) I understand this need to be for real a ConfigMap. As far as I understand, I doesn't matter how the key is called, it gets mounted as /ca-files in the container. To wrap it up: I have my very same CA certificate at least for times used in different ways: in two secrets with different keys, inline as a base64 encoded string and either inline as a literal scalar or in a ConfigMap. I understand this are different tools. And maybe also different developers. But I also understand this is all Rancher (or Suse) and we also have already exiting concepts in Kubernetes as

secretKeyRef

and others. Now, finally my question: How should I manage the CA certificate. I'm open for ideas...