Install cert-manager for Certificate Management

This topic explains how to install cert-manager into a workload cluster in Tanzu Kubernetes Grid. cert-manager installs automatically in a standalone management cluster.

This topic applies to workload clusters running on vSphere, Amazon Web Services (AWS), and Azure.

Prepare the Workload Cluster for cert-manager Installation

To prepare the cluster:

  1. Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:

    tanzu cluster kubeconfig get my-cluster --admin
  2. Set the context of kubectl to the cluster. For example:

    kubectl config use-context my-cluster-admin@my-cluster

Install cert-manager

To install cert-manager:

  1. If you are installing cert-manager to a single-node cluster as described in Single-Node Clusters on vSphere (Technical Preview), patch the cert-manager package annotations to prevent a conflict between the cert-manager installed as a core package on single-node clusters and the cert-manager in the Tanzu standard repo:

    kubectl annotate --overwrite package'standard'
  2. If the cluster does not already have the standard package repository installed, install it:

    tanzu package repository add tanzu-standard --url PACKAGE-REPOSITORY-ENDPOINT --namespace tkg-system

    Where PACKAGE-REPOSITORY-ENDPOINT is the URL of the standard package repository. For this release, the URL is

    See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.

  3. Confirm that the cert-manager package is available in your workload cluster:

    tanzu package available list -A
  4. Retrieve the version of the available package:

    tanzu package available list -A
  5. Install the cert-manager package:

    tanzu package install cert-manager --package --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION


    • TARGET-NAMESPACE is the namespace in which you want to install the cert-manager package. For example, the my-packages or tanzu-cli-managed-packages namespace.

      • If the --namespace flag is not specified, the Tanzu CLI installs the package in the default namespace.
      • The specified namespace must already exist, for example from running kubectl create namespace my-packages.
    • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

    For example:

    tanzu package install cert-manager --package --namespace my-packages --version 1.7.2+vmware.1-tkg.1
  6. Confirm that the cert-manager package has been installed:

    tanzu package installed list -A

    The cert-manager package and cert-manager app are installed in the namespace that you specify when running the tanzu package install command.

  7. Confirm that the cert-manager app has been successfully reconciled in your TARGET-NAMESPACE. For example:

    kubectl get apps -A
    my-packages   cert-manager     Reconcile succeeded   3m2s           3m12s

    If the status is not Reconcile Succeeded, view the full status details of the cert-manager app. Viewing the full status can help you to troubleshoot the problem.

    kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yaml

    Where TARGET-NAMESPACE is the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:

    tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE
  8. Confirm that the cert-manager- pods are running:

    kubectl get pods -A

    The cert-manager pods and any other resources associated with the cert-manager component are created in the cert-manager namespace.

check-circle-line exclamation-circle-line close-line
Scroll to top icon