Fix doc comments

Martin Jackson · Martin Jackson · commit fc5658dac610 · 2026-05-06T11:38:36.000-05:00
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: vp-sscsi-spc
-version: 0.1.2
+version: 0.1.3
 description: >-
   Library chart for app-level Vault SecretProviderClass rendering with hub, spoke, and
   external Vault support. Cluster CA material is managed by a separate cluster-wide chart.
diff --git a/README.md b/README.md
@@ -1,22 +1,24 @@
 # vp-sscsi-spc
 
-![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square)
+![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square)
 
 Library chart for app-level Vault SecretProviderClass rendering with hub, spoke, and external Vault support. Cluster CA material is managed by a separate cluster-wide chart.
 
-This chart is the app-level SecretProviderClass companion to the cluster-wide Vault CSI chart.
+This chart is the **library for `SecretProviderClass` only**, **one dependency per application chart** that consumes Vault via SSCSI.
+
+**Vault CSI provider DaemonSet and TLS trust on the provider** (for example projected proxy cluster CA) are installed by **`openshift-sscsi-vault`** (chart **0.2.0+**), not this library. The **`openshift-sscsi-vault`** is provided for this.
 
 ### Scope
 
-This chart renders SecretProviderClass manifests only. Use it from application charts that need:
+This chart renders **only** `SecretProviderClass` YAML (named templates or optional `installDefaultManifests`). Use it from application charts that need:
 
 - Hub-cluster Vault auth (`hub` mount + role)
 - Spoke-cluster auth to centralized Vault (`clusterDomain` mount + role)
 - External Vault endpoint override (`vault.externalAddress`)
 - Optional reference to a pre-mounted CA path (`tls.vaultCACertPath`)
 - Optional app-key driven workload auth lookup from `clusterGroup.applications[*].ssCsiWorkloadAuth`
 
-This chart does not create or source CA ConfigMaps. Cluster-wide CA management stays in the cluster component chart.
+This chart does not install the CSI provider or mount trust bundles; set **`tls.vaultCACertPath`** to match whatever path the **provider** exposes (for example under **`/etc/pki/vault-ca`** from **`openshift-sscsi-vault`** defaults).
 
 ### Usage from parent charts
 
diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -5,19 +5,21 @@
 
 {{ template "chart.description" . }}
 
-This chart is the app-level SecretProviderClass companion to the cluster-wide Vault CSI chart.
+This chart is the **library for `SecretProviderClass` only**, **one dependency per application chart** that consumes Vault via SSCSI.
+
+**Vault CSI provider DaemonSet and TLS trust on the provider** (for example projected proxy cluster CA) are installed by **`openshift-sscsi-vault`** (chart **0.1.0+**), not this library.
 
 ### Scope
 
-This chart renders SecretProviderClass manifests only. Use it from application charts that need:
+This chart renders **only** `SecretProviderClass` YAML (named templates or optional `installDefaultManifests`). Use it from application charts that need:
 
 - Hub-cluster Vault auth (`hub` mount + role)
 - Spoke-cluster auth to centralized Vault (`clusterDomain` mount + role)
 - External Vault endpoint override (`vault.externalAddress`)
 - Optional reference to a pre-mounted CA path (`tls.vaultCACertPath`)
 - Optional app-key driven workload auth lookup from `clusterGroup.applications[*].ssCsiWorkloadAuth`
 
-This chart does not create or source CA ConfigMaps. Cluster-wide CA management stays in the cluster component chart.
+This chart does not install the CSI provider or mount trust bundles; set **`tls.vaultCACertPath`** to match whatever path the **provider** exposes (for example under **`/etc/pki/vault-ca`** from **`openshift-sscsi-vault`** defaults).
 
 ### Usage from parent charts
 
