fix read me

Signed-off-by: Wei Weng <[email protected]>

Author: Wei Weng

charts/hub-agent/README.md

@@ -59,7 +59,6 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | `enableGuardRail`                         | Enable guard rail webhook configurations                                                   | `true`                                           |
 | `webhookClientConnectionType`             | Connection type for webhook client (service or url)                                        | `service`                                        |
 | `useCertManager`                          | Use cert-manager for webhook certificate management                                        | `false`                                          |
-| `cert-manager.installCRDs`                | Install cert-manager CRDs (only when useCertManager=true)                                  | `true`                                           |
 | `enableV1Beta1APIs`                       | Watch for v1beta1 APIs                                                                     | `true`                                           |
 | `hubAPIQPS`                               | QPS for fleet-apiserver (not including events/node heartbeat)                              | `250`                                            |
 | `hubAPIBurst`                             | Burst for fleet-apiserver (not including events/node heartbeat)                            | `1000`                                           |
@@ -75,25 +74,32 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 
 The hub-agent supports two modes for webhook certificate management:
 
-### Self-Signed Certificates (Default)
+### Automatic Certificate Generation (Default)
 
-By default, the hub-agent generates self-signed certificates automatically. This mode:
+By default, the hub-agent generates certificates automatically at startup. This mode:
 - Requires no external dependencies
 - Works out of the box
 - Certificates are valid for 10 years
-- Suitable for most use cases
 
 ### cert-manager (Optional)
 
 When `useCertManager=true`, certificates are managed by cert-manager. This mode:
-- Automatically installs cert-manager as a dependency
-- Handles certificate rotation automatically
+- Requires cert-manager to be installed as a prerequisite
+- Handles certificate rotation automatically (90-day certificates)
 - Follows industry-standard certificate management practices
-- Requires running `helm dependency update` before installation
+- Suitable for production environments
 
 To switch to cert-manager mode:
 ```console
-cd charts/hub-agent
-helm dependency update
-helm install hub-agent . --set useCertManager=true
+# Install cert-manager first
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.16.2 \
+  --set crds.enabled=true
+
+# Then install hub-agent with cert-manager enabled
+helm install hub-agent ./charts/hub-agent --set useCertManager=true
 ```

charts/hub-agent/templates/certificate.yaml

@@ -11,8 +11,8 @@ spec:
   # Secret name where cert-manager will store the certificate
   secretName: fleet-webhook-server-cert
 
-  # Certificate duration (10 years to match self-signed cert behavior)
-  duration: 87600h # 10 years
+  # Certificate duration (90 days is cert-manager's default and recommended)
+  duration: 2160h # 90 days
 
   # Renew certificate 30 days before expiry
   renewBefore: 720h # 30 days