Configure a TLS certificate by using cert-manager and a ClusterIssuer

This topic tells you how to use cert-manager to create a certificate issuer and then generate a certificate for Tanzu Developer Portal to use based on that issuer.

This topic uses the free certificate issuer Let’s Encrypt. You can use other certificate issuers compatible with cert-manager in a similar fashion.

TLS diagram showing the relationships between Tanzu Developer Portal, cert dash manager, and Contour Shared Ingress.


Fulfil these prerequisites:

  • Install a Tanzu Application Platform profile that includes cert-manager. Verify you did this by running the following command to detect the cert-manager namespace:

    kubectl get ns
  • Obtain a domain name that you control or own and have proof that you control or own it. In most cases, this domain name is the one you used for the INGRESS-DOMAIN values when you installed Tanzu Application Platform and Tanzu Developer Portal.

  • If cert-manager cannot perform the challenge to verify your domain’s compatibility, you must do so manually. For more information, see How It Works and Getting Started in the Let’s Encrypt documentation.
  • Ensure that your domain name is pointed at the shared Contour ingress for the installation. Find the IP address by running:

    kubectl -n tanzu-system-ingress get services envoy -o jsonpath='{.status.loadBalancer.ingress[0].ip}'


To configure a self-signed TLS certificate for Tanzu Developer Portal:

  1. Create a certificate.yaml file that defines an issuer and a certificate. For example:

    kind: ClusterIssuer
      name: letsencrypt-http01-issuer
      namespace: cert-manager
        email: EMAIL-ADDRESS
          name: letsencrypt-http01-issuer
        - http01:
              class: contour
    kind: Certificate
      namespace: cert-manager
      name: tap-gui
      commonName: tap-gui.INGRESS-DOMAIN
        - tap-gui.INGRESS-DOMAIN
        name: letsencrypt-http01-issuer
        kind: ClusterIssuer
      secretName: tap-gui


    • EMAIL-ADDRESS is the email address that Let’s Encrypt shows as responsible for this certificate
    • INGRESS-DOMAIN is your domain value that matches the values you used when you installed the profile
  2. Add the issuer and certificate to your cluster by running:

    kubectl apply -f certificate.yaml

    By applying the certificate, cert-manager attempts to perform an HTTP01 challenge by creating an Ingress resource specifically for the challenge. This is automatically removed from your cluster after the challenge is completed. For more information about how this works, and when it might not, see the cert-manager documentation.

  3. Validate the certificate was created and is ready by running:

    kubectl get certs -n cert-manager

    Wait a few moments for this to take place, if need be.

  4. Configure Tanzu Developer Portal to use the newly created certificate. To do so, update the tap-values.yaml file that you used during installation to include the following items under the tap-gui section:

    • A top-level tls key with subkeys for namespace and secretName
    • A namespace referring to the namespace containing the Certificate object from earlier
    • A secret name referring to the secretName value defined in your Certificate resource earlier


       namespace: cert-manager
       secretName: tap-gui
    # Additional configuration below this line as needed
  5. Update the Tanzu Application Platform package with the new values in tap-values.yaml by running:

    tanzu package installed update tap -p -v TAP-VERSION  --values-file tap-values.yaml -n tap-install

    Where TAP-VERSION is the version that matches the values you used when you installed the profile.

check-circle-line exclamation-circle-line close-line
Scroll to top icon