Add notes for TLS secret

omerap12 · omerap12 · commit 84324603f0eb · 2025-12-30T16:44:21.000Z
Signed-off-by: Omer Aplatony &lt;omerap12@gmail.com&gt;
diff --git a/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md b/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md
@@ -50,6 +50,8 @@ admissionController:
 In this mode:
 - The VPA admission controller creates and manages the webhook itself
 - The application handles its own certificate generation
+Important: You are responsible for creating the TLS secret before or after installing the chart. The admission controller will only create the `MutatingWebhookConfiguration` once the secret exists.
+If the secret is created after the Helm install, you must restart the admission controller pod to trigger webhook registration.
 
 ## Migration Guides
 
diff --git a/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md.gotmpl b/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md.gotmpl
@@ -47,6 +47,8 @@ admissionController:
 In this mode:
 - The VPA admission controller creates and manages the webhook itself
 - The application handles its own certificate generation
+Important: You are responsible for creating the TLS secret before or after installing the chart. The admission controller will only create the `MutatingWebhookConfiguration` once the secret exists.
+If the secret is created after the Helm install, you must restart the admission controller pod to trigger webhook registration.
 
 ## Migration Guides
 
diff --git a/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/NOTES.txt b/vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/NOTES.txt
@@ -18,7 +18,13 @@ Webhook Configuration:
 {{- if .Values.admissionController.registerWebhook }}
    Mode: Application-managed
    - Webhook registered by: admission-controller application
-   - Certificates managed by: admission-controller application
+   - Certificates managed by: User (you must provide the TLS secret)
+
+   ⚠️  IMPORTANT: You must create the TLS secret '{{ include "vertical-pod-autoscaler.admissionController.tls.secretName" . }}'
+   The admission controller will only register the webhook once this secret exists.
+   If the secret is created after this install, restart the admission controller:
+
+   kubectl rollout restart deployment/{{ include "vertical-pod-autoscaler.admissionController.fullname" . }} -n {{ .Release.Namespace }}
 {{- else if .Values.admissionController.certGen.enabled }}
    Mode: Helm-managed (recommended)
    - Webhook registered by: Helm (MutatingWebhookConfiguration)
