Install Cert Manager

This topic explains how to install Cert Manager into a Tanzu Kubernetes (workload) cluster. In management clusters, Cert Manager is installed automatically during cluster creation.

Prepare the Workload Cluster for Cert Manager Installation

This procedure applies to all clusters, running on vSphere, Amazon EC2, and Azure.

To prepare the cluster:

1. Get the admin credentials of the workload cluster into which you want to deploy Cert Manager. For example:

   tanzu cluster kubeconfig get my-cluster --admin
   

2. Set the context of kubectl to the cluster. For example:

   kubectl config use-context my-cluster-admin@my-cluster
   

Install Cert Manager

To install Cert Manager:

1. Confirm that the cert-manager package is available in your workload cluster:

   tanzu package available list -A
   

2. Retrieve the version of the available package:

   tanzu package available list cert-manager.tanzu.vmware.com -A
   | Retrieving package versions for cert-manager.tanzu.vmware.com...
    NAME                           VERSION                          RELEASED-AT           NAMESPACE
    cert-manager.tanzu.vmware.com  1.1.0+vmware.1-tkg.2             2020-11-24T18:00:00Z  tanzu-package-repo-global
   

3. Install the Cert Manager package:

   • If the target namespace exists in the cluster, run:

     tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION
     

     Where:

     • TARGET-NAMESPACE is the namespace in which you want to install the Cert Manager package, Cert Manager package app, and any other Kubernetes resources that describe the package. For example, the my-packages or tanzu-cli-managed-packages namespace. If the --namespace flag is not specified, the Tanzu CLI installs the package in the default namespace.
     • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

     For example:

     tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace my-packages --version 1.1.0+vmware.1-tkg.2
     / Installing package 'cert-manager.tanzu.vmware.com'
     | Getting package metadata for 'cert-manager.tanzu.vmware.com'
     | Creating service account 'cert-manager-my-packages-sa'
     | Creating cluster admin role 'cert-manager-my-packages-cluster-role'
     | Creating cluster role binding 'cert-manager-my-packages-cluster-rolebinding'
     \ Creating package resource
     | Package install status: Reconciling
     
     Added installed package 'cert-manager' in namespace 'my-packages'
     

   • If the target namespace does not exist in the cluster, run:

     tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION --create-namespace
     

     Where:

     • TARGET-NAMESPACE is the namespace in which you want to install the Cert Manager package, Cert Manager package app, and any other Kubernetes resources that describe the package. For example, the my-packages or tanzu-cli-managed-packages namespace.
     • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

     For example:

     tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace my-packages --version 1.1.0+vmware.1-tkg.2 --create-namespace
     

   Alternatively, you can create the namespace before installing the package by running the kubectl create namespace TARGET-NAMESPACE command.

4. Confirm that the cert-manager package has been installed:

   tanzu package installed list -A
   

   For example:

   tanzu package installed list -A
   / Retrieving installed packages...
   NAME            PACKAGE-NAME                     PACKAGE-VERSION                  STATUS               NAMESPACE
   cert-manager    cert-manager.tanzu.vmware.com    1.1.0+vmware.1-tkg.2             Reconcile succeeded  my-packages
   antrea          antrea.tanzu.vmware.com                                           Reconcile succeeded  tkg-system
   metrics-server  metrics-server.tanzu.vmware.com                                   Reconcile succeeded  tkg-system
   vsphere-cpi     vsphere-cpi.tanzu.vmware.com                                      Reconcile succeeded  tkg-system
   vsphere-csi     vsphere-csi.tanzu.vmware.com                                      Reconcile succeeded  tkg-system
   

   The cert-manager package and cert-manager app are installed in the namespace that you specify when running the tanzu package install command.

5. Confirm that the cert-manager app has been successfully reconciled in your TARGET-NAMESPACE. For example:

   kubectl get apps -A
   NAMESPACE     NAME             DESCRIPTION           SINCE-DEPLOY   AGE
   my-packages   cert-manager     Reconcile succeeded   3m2s           3m12s
   ...
   

   If the status is not Reconcile Succeeded, view the full status details of the cert-manager app. Viewing the full status can help you to troubleshoot the problem.

   kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yaml
   

   Where TARGET-NAMESPACE is the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:

   tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE
   

6. Confirm that the cert-manager- pods are running:

   kubectl get pods -A
   
   NAMESPACE      NAME                                                        READY   STATUS    RESTARTS   AGE
   cert-manager   cert-manager-78897c8dc5-pfh7s                               1/1     Running   0          2m21s
   cert-manager   cert-manager-cainjector-86cdb8577c-nrr2s                    1/1     Running   0          2m21s
   cert-manager   cert-manager-webhook-ff45bc699-k8vdd                        1/1     Running   0          2m21s
   ...
   

   The Cert Manager pods and any other resources associated with the Cert Manager component are created in the cert-manager namespace.