One of the biggest changes between the old Helm charts and the new Installer is how the internal certificates are generated. Helm used it's internal CA/Cert generation functions to generate a one-time certificate which had no automated renewal process. The Installer user Cert Manager to create an internal CA and allows certs to be generated from that.

• check that Cert Manager actually is able to renew certs. Suggest setting to a short time (1 hour) and checking that certs are renewed. Should also include the CA in this - certs in common/ca.go, cluster/certmanager.go, docker-registry/certificate.go, ws-daemon/tlssecret.go and ws-manager/tlssecret.go
• once renewal is confirmed, establish an appropriate duration for certs. As the cluster is generating them internal, there shouldn't be much resource/financial cost to generating them so 3 months is probably an appropriate duration - this would mirror LetsEncrypt