Self signed Certificates/cacerts being generated on helm chart deploy of rancher 2.x even though --private-ca isn't being set

Hi. I am currently deploying Rancher 2.x, via Helm, to an AKS cluster, with the following command:

helm repo add rancher-latest
helm install rancher-latest/rancher
–name rancher
–namespace cattle-system
–set hostname=$name.$domain
–set tls=external

as implied here, I am doing external TLS ingress (in this case, via CloudFlare).

It is very puzzling because I have looked through the helm chart and docker files, and I see indications that --no-cacerts is set when --private-ca isn’t specified, so I shouldn’t see any certificate in the cacerts value in Rancher Settings. Yet, I do, and because I do, kubectl and rancher-cli calls fail.

Is there something I am missing?


I think this issue might describe what you’re seeing

If so, its a bug and will be fixed in v2.3.0